Skip to content

[BUG] When setting the outputFormat to DEPENDENCY_GRAPH ossindexAudit succeeds, even though vulnerabilities are found #164

Open
Open
[BUG] When setting the outputFormat to DEPENDENCY_GRAPH ossindexAudit succeeds, even though vulnerabilities are found#164
Labels
bugSomething isn't working
@rprinsen

Description

@rprinsen
rprinsen
opened on Sep 4, 2024

When I set the outputFormat to DEPENDENCY_GRAPH, the task succeeds, even though vulnerabilities are found:

> Task :ossIndexAudit
Using anonymous request
  ________  ___   ___  __   ____  ____________   _  __
 / ___/ _ \/ _ | / _ \/ /  / __/ / __/ ___/ _ | / |/ /
/ (_ / , _/ __ |/ // / /__/ _/  _\ \/ /__/ __ |/    /
\___/_/|_/_/ |_/____/____/___/ /___/\___/_/ |_/_/|_/

  _      _                       _   _
 /_)    /_`_  _  _ _/_   _  _   (/  /_`_._  _   _/ _
/_)/_/ ._//_// //_|/ /_//_//_' (_X /  ///_'/ //_/_\
   _/                _//
Gradle Scan version: 2.8.2
------------------------------------------------------------------------------------------------------------------------------------------------------
Checking vulnerabilities in 573 dependencies
Found vulnerabilities in 12 dependencies
+--- org.springframework.boot:spring-boot-starter-web:2.7.18: 0 vulnerabilities detected
|    +--- org.springframework.boot:spring-boot-starter:2.7.18: 0 vulnerabilities detected
|    |    +--- org.springframework.boot:spring-boot-starter-logging:2.7.18: 0 vulnerabilities detected
|    +--- org.springframework.boot:spring-boot-starter-json:2.7.18: 0 vulnerabilities detected
|    |    +--- org.springframework.boot:spring-boot-starter:2.7.18 (*): 0 vulnerabilities detected

(*) - if present, dependencies omitted (listed previously)

Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

For more on this, please refer to https://docs.gradle.org/8.5/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.

BUILD SUCCESSFUL in 2s

When I set the outputFormat to DEFAULT, it fails (as expected):

Task :ossIndexAudit FAILED
Using anonymous request
  ________  ___   ___  __   ____  ____________   _  __
 / ___/ _ \/ _ | / _ \/ /  / __/ / __/ ___/ _ | / |/ /
/ (_ / , _/ __ |/ // / /__/ _/  _\ \/ /__/ __ |/    /
\___/_/|_/_/ |_/____/____/___/ /___/\___/_/ |_/_/|_/

  _      _                       _   _
 /_)    /_`_  _  _ _/_   _  _   (/  /_`_._  _   _/ _
/_)/_/ ._//_// //_|/ /_//_//_' (_X /  ///_'/ //_/_\
   _/                _//
Gradle Scan version: 2.8.2
------------------------------------------------------------------------------------------------------------------------------------------------------

Checking vulnerabilities in 573 dependencies
Found vulnerabilities in 6 dependencies
[1/6] - pkg:maven/ch.qos.logback/logback-classic@1.2.12 - 1 vulnerability found!

   Vulnerability Title:  [CVE-2023-6378] CWE-502: Deserialization of Untrusted Data
   ID:  CVE-2023-6378
   Description:  A serialization vulnerability in logback receiver component part of  logback version 1.4.11 allows an attacker to mount a Denial-Of-Servi...
   CVSS Score:  (7.5/10, High)
   CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
   CVE:  CVE-2023-6378
   Reference:  https://ossindex.sonatype.org/vulnerability/CVE-2023-6378?component-type=maven&component-name=ch.qos.logback%2Flogback-classic&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2

[2/6] - pkg:maven/ch.qos.logback/logback-core@1.2.12 - 1 vulnerability found!

   Vulnerability Title:  [CVE-2023-6378] CWE-502: Deserialization of Untrusted Data
   ID:  CVE-2023-6378
   Description:  A serialization vulnerability in logback receiver component part of  logback version 1.4.11 allows an attacker to mount a Denial-Of-Servi...
   CVSS Score:  (7.5/10, High)
   CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
   CVE:  CVE-2023-6378
   Reference:  https://ossindex.sonatype.org/vulnerability/CVE-2023-6378?component-type=maven&component-name=ch.qos.logback%2Flogback-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.2

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':ossIndexAudit'.
> Vulnerabilities detected, check log output to review them

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org.

Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

For more on this, please refer to https://docs.gradle.org/8.5/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.

BUILD FAILED in 2s

To Reproduce
Steps to reproduce the behavior:
set the outputFormat to DEPENDENCY_GRAPH and run the ossIndexAudit task in a project with dependencies with known vulnerabilities

Expected behavior
the gradle task should fail if any vulnerabilities are found

Additional context
when using the outputFormat DEFAULT, or JSON_CYCLONE_DX_1_4, the task fails (as expected).
I'm using plugin version 2.8.3 with gradle 8.5

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions