[FP]: Akka.Net Libraries Flagged as outdated Akka Scala Libraries

[ewilansky]

Package URl

pkg:nuget/Akka.Cluster.Hosting@1.5.7

CPE

cpe:2.3:a:akka:akka:::::::: versions up to (including) 2.4.16

CVE

CVE-2017-1000034

ODC Integration

{"label"=>"CLI"}

ODC Version

8.3.1

Description

All Akka DotNet packages (implemented by Petabridge) are incorrectly detected as Akka Scala packages. I've only added a single package to the package URI field above to allow the automated script attached to this issue post to run. However, this same false positive applies to these packages:

• pkg:nuget/Akka.Hosting.TestKit@1.5.7
• pkg:nuget/Akka.Persistence.Redis@1.5.0
• pkg:nuget/Akka.Streams@1.5.8
• pkg:nuget/Akka.TestKit.XUnit2@1.5.8

Vendor home page: https://getakka.net/
Vendor source: https://github.com/akkadotnet/akka.net

The only way we have found around this is to add suppressions (attached).
owasp-suppressions.xml.zip

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/5647114488

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/5647129879

[Aaronontheweb]

Determining projects to restore...
/usr/share/dotnet/sdk/7.0.[30](https://github.com/jeremylong/DependencyCheck/actions/runs/5647129879/job/15296574596#step:12:31)6/NuGet.targets(190,5): error MSB4018: The "WriteRestoreGraphTask" task failed unexpectedly. [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018: System.ArgumentException: '1.5.7, pkg:nuget/Akka.Hosting.TestKit@1.5.7, pkg:nuget/Akka.Persistence.Redis@1.5.0, pkg:nuget/Akka.Streams@1.5.8, pkg:nuget/Akka.TestKit.XUnit2@1.5.8' is not a valid version string. (Parameter 'value') [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018:    at NuGet.Versioning.NuGetVersion.Parse(String value) [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018:    at NuGet.Commands.MSBuildRestoreUtility.GetVersion(IMSBuildItem item) [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018:    at NuGet.Commands.MSBuildRestoreUtility.GetPackageSpec(IEnumerable`1 items) [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018:    at System.Linq.Enumerable.SelectEnumerableIterator`2.MoveNext() [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018:    at System.Linq.Enumerable.WhereEnumerableIterator`1.MoveNext() [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018:    at NuGet.Commands.MSBuildRestoreUtility.GetDependencySpec(IEnumerable`1 items) [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018:    at NuGet.Build.Tasks.WriteRestoreGraphTask.Execute() [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018:    at Microsoft.Build.BackEnd.TaskExecutionHost.Microsoft.Build.BackEnd.ITaskExecutionHost.Execute() [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
/usr/share/dotnet/sdk/7.0.306/NuGet.targets(190,5): error MSB4018:    at Microsoft.Build.BackEnd.TaskBuilder.ExecuteInstantiatedTask(ITaskExecutionHost taskExecutionHost, TaskLoggingContext taskLoggingContext, TaskHost taskHost, ItemBucket bucket, TaskExecutionMode howToExecuteTask) [/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj]
Unable to create dependency graph file for project '/home/runner/work/DependencyCheck/DependencyCheck/fp-project/fp-project.csproj'. Cannot add package reference.
Error: Process completed with exit code 1.

Hmmm, the tool doesn't like that version string

[github-actions]

Nuget Coordinates

dotnet add package Akka.Cluster.Hosting --version 1.5.7

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5836
   ]]></notes>
   <packageUrl regex="true">^pkg:nuget/Akka\.Cluster\.Hosting@.*$</packageUrl>
   <cpe>cpe:/a:akka:akka</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/5647181434

[ewilansky]

I updated the post to include a single package URI to see if that resolves that issue.

[ewilansky]

Will this issue be assigned for resolution or is the only remediation for these false positives going to be adding a suppression entry for each one? These libraries should be tracked going-forward so marking them for suppression isn't a good long term option.