Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GHSA-mjmj-j48q-9wg2 is triggering for snakeyaml-engine but CVE is for just "snakeyaml" #1720

Open
mr-c opened this issue Feb 23, 2023 · 5 comments

Comments

@mr-c
Copy link

mr-c commented Feb 23, 2023

For some reason the package specification org.yaml:snakeyaml is matching org.snakeyaml:snakeyaml-engine which is a completely different codebase.

image

https://github.com/common-workflow-language/cwljava/blob/63e794f42ed28a03a9bb5429b8e503edb320138c/pom.xml#L99

image

@mr-c
Copy link
Author

mr-c commented Mar 25, 2023

image

@laserlemon
Copy link
Member

I believe this repository uses Dependency Graph's submissions API. After their CI runs on actions, it appears they are submitting the full dependency tree to Dependency Graph. The behavior we're seeing is consistent with that submission including a vulnerable version of org.yaml:snakeyaml.

Looking a little deeper, their dependency insights page does indeed show a dependency on org.yaml:snakeyaml = 1.33 (as of this writing).

@elireisman
Copy link

This looks like a problem with the snapshot detector in use - there are a couple other similar tickets in play. Snapshot submissions are assumed resolved by the submitter, we don't normally validate against the same package mappings and metadata we do for manifest based deps.

Last time this came up, I validated the snapshot submission was picking up the wrong mapping here, but as you can see in the manifest, the right artifactId appears there, and that is what the DG-API manfiest-level data records.

There's been some recent work to integrate snapshot and static-manifest data in repo insights that may be in play here? cc @juxtin

@cnagadya
Copy link

cnagadya commented Apr 6, 2023

snakeyaml is a dependency of the above repo albeit an indirect one pulled in by jackson-dataformat-yaml. Work is still in progress to refresh this page and we intend to show the relationship of the different dependencies in future
Here is the snapshot generated by the Maven Dependency Tree Dependency Submission action installed on the repo. I've however extracted some bits I've deemed relevant below

{
  ...
  "pkg:maven/com.fasterxml.jackson.dataformat/[email protected]?type=jar":{
                 "package_url":"pkg:maven/com.fasterxml.jackson.dataformat/[email protected]?type=jar",
                 "relationship":"direct",
                 "scope":"runtime",
                 "dependencies":[
                    "pkg:maven/org.yaml/[email protected]?type=jar"
                 ]
              },
   ...,
    "pkg:maven/org.yaml/[email protected]?type=jar":{
       "package_url":"pkg:maven/org.yaml/[email protected]?type=jar",
       "relationship":"indirect",
       "scope":"runtime"
    }
   ...
   "scanned":"2023-03-25T09:31:05.323Z"
   }

@lseppala
Copy link

Thanks for the thorough explanation, @cnagadya!

To confirm, the issue was that snakeyaml was a transitive dependency of jackson-dataformat-yaml. However, we do not make it clear in the Dependency Graph or Dependabot Alert UIs from where a transitive dependency is coming from. Making this relationship more obvious is planned as future work for the Dependabot and Dependency Graph team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants