Steady's vulnerability reports for the com.fasterxml.jackson.core:jackson-databind 2.0.0, 2.6.5, and 2.8.0 projects are completely identical.

[momo-tong]

Describe the bug
Steady's vulnerability reports for the com.fasterxml.jackson.core:jackson-databind 2.0.0, 2.6.5, and 2.8.0 projects are completely identical.

My objective is to analyze the vulnerabilities of the com.fasterxml.jackson.core:jackson-databind 2.0.0, 2.6.5, and 2.8.0 versions. Since Steady only analyzes vulnerabilities for third-party dependencies using a POM configuration file, I have created my own configuration file. Steady analyzed the com.fasterxml.jackson.core:jackson-databind software for the three versions mentioned. The CVE reported on the Steady webpage are identical. Additionally, I used Steady to scan the JAR files for versions 2.0.0 and 2.6.5, and the vulnerability reports for all versions are also identical. I have updated the database to the latest.

Can you provide me with some assistance to resolve or explain this issue? Thanks very much!

To Reproduce
my own configuration file

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>untitled</artifactId>
    <version>2.0.0-SNAPSHOT</version>

    <properties>
        <maven.compiler.source>11</maven.compiler.source>
        <maven.compiler.target>11</maven.compiler.target>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    </properties>

    <dependencies>
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-databind</artifactId>
            <version>2.0.0</version>
            <scope>compile</scope>
        </dependency>
    </dependencies>

</project>

the command

#sudo java -Xms2048m  -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal app
#sudo java -Xms2048m  -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal a2c
#sudo java -Xms2048m  -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal upload
#sudo java -Xms2048m  -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal report

Steady result

RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2017-17485
9.8 (v3.1)
RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2017-7525
9.8 (v3.1)
RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2018-11307
9.8 (v3.1)
RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2018-12022
7.5 (v3.0)
RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2018-12023
7.5 (v3.0)
RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2018-5968
8.1 (v3.1)
RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2018-7489
9.8 (v3.0)
RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2019-14540
9.8 (v3.1)
RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2019-16335
9.8 (v3.1)
RUNTIME
direct
jackson-databind-2.6.5.jar
CVE-2020-36518
7.5 (v3.1)

[serenaponta]

Hi @momo-tong, you shared the configuration used as a pom file but from the command it looks like you used the CLI tool. The CLI does not consume the information in the pom and, e.g., to identify the scanned application uses the properties given in the ./steady-custom.properties file.

Could you share more insights on how you run the tool and attach the report or screenshot of the web frontend for the 3 applications you considered (corresponding to the three jackson-databind versions you are targeting)?

[momo-tong]

Hi, Thanks for your reply.

I want to analyze the vulnerabilities of the com.fasterxml.jackson.core:jackson-databind 2.0.0, 2.6.5, and 2.8.0 versions. I will provide information of steady-custom.properties file and the web results. Could you please help me resolve this problem?

./steady-custom.properties file of com.fasterxml.jackson.core:jackson-databind 2.0.0
vulas.shared.backend.serviceUrl=http://localhost:8033/backend
vulas.shared.cia.serviceUrl=http://localhost:8033/cia
vulas.shared.tmpDir = vulas/tmp

vulas.core.appContext.group = org.example
vulas.core.appContext.artifact = untitled
vulas.core.appContext.version = 2.0.0-SNAPSHOT
vulas.core.app.appPrefixes = untitled
vulas.core.app.sourceDir = app

the screenshot of the web frontend for com.fasterxml.jackson.core:jackson-databind 2.0.0

./steady-custom.properties file of com.fasterxml.jackson.core:jackson-databind 2.6.5
vulas.shared.backend.serviceUrl=http://localhost:8033/backend
vulas.shared.cia.serviceUrl=http://localhost:8033/cia
vulas.shared.tmpDir = vulas/tmp

vulas.core.appContext.group = org.example
vulas.core.appContext.artifact = untitled
vulas.core.appContext.version = 2.6.5-SNAPSHOT
vulas.core.app.appPrefixes = untitled
vulas.core.app.sourceDir = app

the screenshot of the web frontend for com.fasterxml.jackson.core:jackson-databind 2.6.5

./steady-custom.properties file of com.fasterxml.jackson.core:jackson-databind 2.8.0
vulas.shared.backend.serviceUrl=http://localhost:8033/backend
vulas.shared.cia.serviceUrl=http://localhost:8033/cia
vulas.shared.tmpDir = vulas/tmp

vulas.core.appContext.group = org.example
vulas.core.appContext.artifact = untitled
vulas.core.appContext.version = 2.8.0-SNAPSHOT
vulas.core.app.appPrefixes = untitled
vulas.core.app.sourceDir = app

the screenshot of the web frontend for com.fasterxml.jackson.core:jackson-databind 2.8.0

[serenaponta]

Hi @momo-tong,

sorry for the late reply. In the screenshots the right-most column "Includes vulnerable code" is not visible. From the results I expect it to show an "orange hourglass", meaning that the tool didn't yet or couldn't analyse the vulnerable code, i.e., it knows it includes a class or method changed in order to fix the vulnerability, but couldn't establish whether it contains it in its vulnerable or fixed version.

Whenever the vulnerability fix involves method code changes, orange hourglasses may turn to red/green marks thanks to the patch-lib-analyzer (running asynchronously from the scan in a dedicated container). The same can also be run manually for specific vulnerabilities as described at https://eclipse.github.io/steady/user/manuals/library_assessment/#usage

In case the vulnerability only includes no-code changes (or--in the current implementation of Steady--only changes class fields as it often happens for Jackson databind vulnerabilities), a manual assessment is needed, see Manual Library Assessment

Once assessments are available for a number of library versions and a given vulnerability (created either by patch-lib-analyzer or manually), the goal check-code can help creating additional results. However i do not think this fits your case.