failure checking when handled jar file

[firefive4u]

When I used it to test with jsoup-1.9.2.jar, no CVE found, no product found. Not sure what happened, there was pom.xml in jar. Could you help on it?

[firefive4u]

I want this tool can check vulnerability of jsoup with 1.9.2 in database, how can I achieve this purpose?

[anthonyharrison]

@firefive4u The tool will check for vulnerabilities in a jar file. The tool correctly identifies the product but because there is no vendor associated with the vulnerability it is unable to detect the vulnerabilities. This is a limitation of the tool.

╭───────────────────────────────────────────────╮
│ Products with No Identified Vulnerabilities │
╰───────────────────────────────────────────────╯
┏━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃
┡━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━┩
│ unknown │ jsoup │ 1.9.2 │
│ unknown │ junit │ 4.5 │
└─── ────┴───── ──┴─────── ┘

To handle the case where the product vendor is not known, we are planning to support package URLs (PURL) e.g. pkg:maven/org.jsoup/jsoup@1.9.2 for products identified within an SBOM.

[terriko]

I think any solution we make for #3152 might be generalizable to handle mappings for jar files better too. I think the solution for that will need some sort of lookup table that people could add to with vendor mappings for common products (we have these mappings for binary findings, but not yet for pom.xml findings). Not sure if we'll get to that before the planned PURL support, but it's another approach for improvement.

As a workaround in the meantime, you could maybe use a multi-step process:

1. Use cve-bin-tool (or a similar tool) to generate an SBOM or other format of component list (we also can just take a .csv file)
2. Manually add the vendor where it's known
3. Scan the sbom using cve-bin-tool to get valid results.

I know, probably not the most satisfying. But that will work right now while we sort out how to do better.

[anthonyharrison]

@firefive4u Once merged, #3150 will find vulnerabilities in JSOUP 1.9.2

[firefive4u]

thanks all for your responses, glad to hear that.