来源

关联漏洞

描述

About simple application with a (unreachable!) CVE-2022-45688 vulnerability

介绍

## json.org CVE-2022-45688 false positive

The project contains a [json.org](https://mvnrepository.com/artifact/org.json/json/20220924) dependency with [CVE-2022-45688](https://nvd.nist.gov/vuln/detail/CVE-2022-45688).
It does invoke the vulnerable class, but the input data is hardcoded
and not suitable to trigger a DoS attack. The vulnerability can therefore not be exploited for a DoS attack.

Both metadata-based and callgraph-based software composition analyses will produce a false positive.
To precisely detect whether the application is vulnerable, a more sophisticated 
inter-procedural dataflow / taint analysis is required.

Note that there is a proof-of-vulnerability test to demonstrate the vulnerability, this test (and therefore the build with `mvn test`)
fails. See [https://github.com/scabench/jsonorg-tp1](https://github.com/scabench/jsonorg-tp1) for how the test works.


### Running Software Composition Analyses

There are several sh scripts to run different analyses, result resports can be found in `scan-results`.

### Generating the SBOM

The `pom.xml` has a plugin to generate a [SBOM](https://www.cisa.gov/sbom) in [CycloneDX](https://cyclonedx.org/) format.
To do this, run `mvn cyclonedx:makePackageBom`, the SBOM can be found in
`target/` in `json` and `xml` format.

文件快照

 [4.0K]  /data/pocs/5ff94d685fc1d8fccf74e06b70720e61bd252c9f
├── [ 11K]  LICENSE
├── [2.7K]  pom.xml
├── [1.3K]  README.md
├── [ 452]  run-owasp.sh
├── [ 261]  run-snyk.sh
├── [4.0K]  scan-results
│   ├── [4.0K]  dependency-check
│   │   └── [ 13K]  dependency-check-report.json
│   └── [4.0K]  snyk
│       └── [ 11K]  snyk-report.json
└── [4.0K]  src
    ├── [4.0K]  main
    │   └── [4.0K]  java
    │       └── [4.0K]  scabench
    │           └── [ 497]  XML2JSONConverter.java
    └── [4.0K]  test
        └── [4.0K]  java
            └── [4.0K]  scabench
                └── [ 473]  CVE202245688Test.java

10 directories, 9 files

备注