来源

关联漏洞

描述

Context of CVE-2021-26291 minimal replicator

介绍

After significant efforts, stripped it down to a minimal replicator.

This is just an empty project to demonstrate the issue with dependency-check-maven usage I am forced on doing by my company rules. 

Do check the pom.xml and do verify:

`mvn org.owasp:dependency-check-maven:RELEASE:aggregate`

Or if you have a NVD_API_KEY env var the faster:

`mvn org.owasp:dependency-check-maven:RELEASE:aggregate -DnvdApiKey=${NVD_API_KEY}`

And you will get a lot of them, including the:
...
[ERROR] maven-core-3.6.3.jar (pkg:maven/org.apache.maven/maven-core@3.6.3, cpe:2.3:a:apache:maven:3.6.3:*:*:*:*:*:*:*): CVE-2021-26291(9.1)
...

The "apparently" miss-leading [dependency-check-report.html](target/site/dependency-check/dependency-check-report.html) says:

    maven-core-3.6.3.jar
    Referenced In Project/Scope: test (plugins)
    Included by: pkg:maven/org.owasp/dependency-check-maven@12.1.0 (plugins)

The issue originates from the company imposed (huge) parent pom with mandatory, with configuration:

    <failBuildOnCVSS>7</failBuildOnCVSS>
    <scanPlugins>true</scanPlugins>

There is no explicit reference to maven-core 3.6.3 anywhere on my company parent pom or its dependencies. The following returns nothing:

```bash
mvn help:effective-pom | grep 3.6.3
```

文件快照

 [4.0K]  /data/pocs/38f66a3c2cef10094e1e9aee4e7a1f6baf0f8e52
├── [1.2K]  README.md
└── [4.0K]  target
    └── [4.0K]  site
        └── [4.0K]  dependency-check
            ├── [407K]  dependency-check-gitlab.json
            ├── [902K]  dependency-check-jenkins.html
            ├── [141K]  dependency-check-junit.xml
            ├── [ 94K]  dependency-check-report.csv
            ├── [2.4M]  dependency-check-report.html
            ├── [1.8M]  dependency-check-report.json
            ├── [282K]  dependency-check-report.sarif
            └── [2.1M]  dependency-check-report.xml

3 directories, 9 files

备注