Hello
I have a java test application containing a vulnerable component:
- com.google.guava:guava : 19.0
- CVE-2018-10237
- CVE-2023-2976
There is more vulnerabilities, I kept only the ones with CVSS >= 4
This jar app is included in a docker image:
FROM foo
COPY app.jar ./
I scan the jar of this application with nexus iq:
./nexus-iq-cli -i java-app-playground -e app.jar
Truncated output is:
IQ Server is alerting to Policy(policy-default-fail-for-security) [ Component(displayName=com.google.guava : guava : 19.0, hash=6ce200f6b23222af3d8a) [ Constraint(CVSS medium, high or critical) [Security Vulnerability Severity >= 4 because: Found security vulnerability CVE-2023-2976 with severity >= 4 (severity = 7.1), on condition 0] ]]
IQ Server is alerting to Policy(policy-default-fail-for-security) [ Component(displayName=com.google.guava : guava : 19.0, hash=6ce200f6b23222af3d8a) [ Constraint(CVSS medium, high or critical) [Security Vulnerability Severity >= 4 because: Found security vulnerability CVE-2018-10237 with severity >= 4 (severity = 5.9), on condition 0] ]]
And then the docker image with nexus container:
./nexus-iq-cli -i java-app-playground -e container:myimg:latest
Truncated output is:
IQ Server is alerting to Policy(policy-default-fail-for-security) [ Component(displayName=jar : com.google.guava:guava : 19.0, hash=fa20bc21fc82f64b21d1) [ Constraint(CVSS medium, high or critical) [Security Vulnerability Severity >= 4 because: Found security vulnerability CVE-2023-2976 with severity >= 4 (severity = 5.5), on condition 0] ]]
IQ Server is alerting to Policy(policy-default-fail-for-security) [ Component(displayName=jar : com.google.guava:guava : 19.0, hash=fa20bc21fc82f64b21d1) [ Constraint(CVSS medium, high or critical) [Security Vulnerability Severity >= 4 because: Found security vulnerability CVE-2018-10237 with severity >= 4 (severity = 5.9), on condition 0] ]]
First, there are some inconsistencies:
- the hash of the component (com.google.guava) is not the same in the two scans
- CVE-2023-2976 does not have the same severity (CVSS) is the two scans
- the name of the component is not the same (prefixed with “jar :” when using nexus container)
Then I try to apply a waiver for CVE-2023-2976. I select the policy violation corresponding to CVE-2023-2976 that was triggered in the first scan and I create a waiver that should be applied for all components (because the app component names/hashes during a Nexus container scan are not the same).
I re-run the jar scan:
IQ Server is alerting to Policy(policy-default-fail-for-security) [ Component(displayName=com.google.guava : guava : 19.0, hash=6ce200f6b23222af3d8a) [ Constraint(CVSS medium, high or critical) [Security Vulnerability Severity >= 4 because: Found security vulnerability CVE-2018-10237 with severity >= 4 (severity = 5.9), on condition 0] ]]
And then the Nexus container scan:
IQ Server is alerting to Policy(policy-default-fail-for-security) [ Component(displayName=jar : com.google.guava:guava : 19.0, hash=fa20bc21fc82f64b21d1) [ Constraint(CVSS medium, high or critical) [Security Vulnerability Severity >= 4 because: Found security vulnerability CVE-2018-10237 with severity >= 4 (severity = 5.9), on condition 0] ]]
IQ Server is alerting to Policy(policy-default-fail-for-security) [ Component(displayName=jar : com.google.guava:guava : 19.0, hash=fa20bc21fc82f64b21d1) [ Constraint(CVSS medium, high or critical) [Security Vulnerability Severity >= 4 because: Found security vulnerability CVE-2023-2976 with severity >= 4 (severity = 5.5), on condition 0] ]]
As you can see the waiver is correctly applied in the first scan but not in the docker image scan, I don’t know why ?
Regards
Eric