Running against Apache Tomcat source identifies vulnerable dependency: Apache Tomcat

[ChristopherSchultz]

STR:

1. Grab the latest Apache Tomcat source from svn

svn checkout https://svn.apache.org/repos/asf/tomcat/trunk tomcat-trunk

2. Extract + Build Tomcat

cd tomcat-trunk
ant deploy

3. Run dependency-check against the result. One can use this ant <target> to do so:

  <target name="dependency-check">
    <property name="dependency-check.home"
value="${user.home}/packages/dependency-check-ant" />
    <property name="doc.dir" value="output" />
    <path id="dependency-check.path">
      <pathelement
location="${dependency-check.home}/dependency-check-ant.jar"/>
      <fileset dir="${dependency-check.home}/lib">
        <include name="*.jar"/>
      </fileset>
    </path>
    <taskdef resource="dependency-check-taskdefs.properties">
      <classpath refid="dependency-check.path" />
    </taskdef>

    <property name="dependency-check.output-dir" value="${doc.dir}" />
    <mkdir dir="${dependency-check.output-dir}" />
    <dependency-check projectname="${ant.project.name}"
reportoutputdirectory="${dependency-check.output-dir}">
      <suppressionfile path="res/dependency-check-suppressions.xml" />
      <fileset dir="output/build">
        <include name="lib/*.jar"/>
        <include name="bin/*.jar"/>
      </fileset>
    </dependency-check>
  </target>

Two issues:

1. dependency-check identifies Tomcat as a dependency of itself
2. dependency-check misidentifies the version of Tomcat (version is 9.0.x, reports vulnerabilities on Tomcat 7.0.x)

[ghollies]

We had a similar issue,
We just updated to 3.3.1 (not sure if it was coincidence or not) but shortly after we had the following CVEs come up for the following two libraries: tomcat-el-api-8.5.32.jar and tomcat-servlet-api-8.5.32.jar being brought in from org.apache.tomcat:tomcat-catalina:8.5.32

cve - affected versions

CVE-2000-0672 <= 3.1
CVE-2000-0760 <= 3.1
CVE-2000-1210 <= 3.1
CVE-2001-0590 <= 3.2.2
CVE-2002-0493 <= 3.3.2
CVE-2002-1148 <= 4.1.10
CVE-2002-2006 <= 4.1.0
CVE-2003-0042 <= 3.3.1
CVE-2003-0043 <= 3.3.1
CVE-2003-0044 <= 3.3.1
CVE-2003-0045 <= 3.3.1
CVE-2005-0808 <= 3.3.1
CVE-2005-4838 <= 5.5.6
CVE-2006-7196 <= 5.5.15
CVE-2007-0450 <= 6.0.9
CVE-2007-1358 <= 4.1.31
CVE-2007-2449 <= 6.0.13
CVE-2008-0128 <= 5.5.20
CVE-2009-2696 <= 4.1.39
CVE-2009-3548 <= 6.0.20
CVE-2012-5568 <= 7.0.28
CVE-2013-2185 <= 7.0.39
CVE-2013-4286 <= 8.0.0 RC2
CVE-2013-4322 <= 8.0.0 RC8
CVE-2013-4444 <= 7.0.39
CVE-2013-4590 <= 8.0.0 RC8
CVE-2013-6357 <= 5.5.25
CVE-2014-0075 <= 8.0.3
CVE-2014-0096 <= 8.0.3
CVE-2014-0099 <= 8.0.3
CVE-2014-0119 <= 8.0.5

[jeremylong]

Thanks for the FP report. I will sweep through these before the next release.

[tpruthi]

+1 I am also getting the same issue. My tomcat version is latest, but i am still getting vulnerabilities for many tomcat jars showing cve which were affected on < tomcat 8.0.5

[jeremylong]

While some of the FP have been corrected - more work will need to be done on being able to scan the tomcat build itself.

Part of the issue is that Tomcat does not version some of its components (such as bootstrap) with the current version of Tomcat being built - not that this is a problem, it is just the problem the team has to solve for scanning the Tomcat build directly.

In addition, as to Tomcat being identified as a dependency of Tomcat - this type of scenario can happen if using the ODC Ant plugin, Jenkins plugin, or CLI when they are configured/used to scan the entire build including all outputs. This is because these three don't really have a dependency management system that they can use (like the gradle and maven plugins).

[ChristopherSchultz]

Well, I'm on the Tomcat team, so I can help solve some of those things. :) I'll get started with versioning bootstrap.jar.

[ChristopherSchultz]

Tomcat 8.5.35 is currently being voted for release. I checked the bootstrap.jar file and it contains these metadata:

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.9.13
Created-By: 1.8.0_181-b13 (Oracle Corporation)
Main-Class: org.apache.catalina.startup.Bootstrap
Specification-Title: Apache Tomcat Bootstrap
Specification-Version: 8.5
Specification-Vendor: Apache Software Foundation
Implementation-Title: Apache Tomcat Bootstrap
Implementation-Version: 8.5.35
Implementation-Vendor: Apache Software Foundation
X-Compile-Source-JDK: 1.7
X-Compile-Target-JDK: 1.7
Class-Path: commons-daemon.jar

Is the Implementation-Version not enough of a hint as to what this JAR contains?

Or were you looking for a filename like bootstrap-x.y.z.jar that can be more-easily checked?

[jeremylong]

The version number in the Implementation-Version is fine. Are there other libraries in Tomcat that are not versioned the same as the core engine?

[ChristopherSchultz]

Yes. Tomcat bundles commons-fileupload, commons-dbcp, servlet-api, websocket-api, etc. that all come from other sources. Also, the native libraries shipped with each version of Tomcat have a separate version numbering scheme.