Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False-Positive: MAL-2024-4696 found on Microsoft Webview #385

Open
Geertkok1 opened this issue Jan 28, 2025 · 4 comments
Open

False-Positive: MAL-2024-4696 found on Microsoft Webview #385

Geertkok1 opened this issue Jan 28, 2025 · 4 comments
Assignees
@prabhu @cerrussell
Labels
false-positive A wrongly identified vulnerability

Comments

@Geertkok1
Copy link

PURL of wrongly matched component

pkg:nuget/[email protected]

Depscan findings

██████╗ ███████╗██████╗ ███████╗ ██████╗ █████╗ ███╗ ██╗
██╔══██╗██╔════╝██╔══██╗██╔════╝██╔════╝██╔══██╗████╗ ██║
██║ ██║█████╗ ██████╔╝███████╗██║ ███████║██╔██╗ ██║
██║ ██║██╔══╝ ██╔═══╝ ╚════██║██║ ██╔══██║██║╚██╗██║
██████╔╝███████╗██║ ███████║╚██████╗██║ ██║██║ ╚████║
╚═════╝ ╚══════╝╚═╝ ╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═══╝

INFO [2025-01-28 13:16:41,677] No oss vulnerabilities detected ✅
@Geertkok1 Geertkok1 added the false-positive A wrongly identified vulnerability label Jan 28, 2025
@Geertkok1
Copy link
Author

As you can see the depscan --purl returns no vulnerabilities. But when we can a project that contains a nuget package that uses the component it returns the following:
Dependency Scan Results (UNIVERSAL) ╔═════════════════════════════════════════════════════════════════════╤═══════════════╤═════════════╤══════════╤═══════╗ ║ Dependency Tree │ Insights │ Fix Version │ Severity │ Score ║ ╟─────────────────────────────────────────────────────────────────────┼───────────────┼─────────────┼──────────┼───────╢ ║ FinConnector@latest │ 🛑 Malicious │ │ CRITICAL │ 10.0 ║ ║ └── [email protected] ⬅ MAL-2024-4696 │ │ │ │ ║

If I follow the MAL number I end up in the following link: Bad version of Winforms, that is not part of webview But that package is not used.

It seems that depscan triggers because it also contains the word Winforms. Can you confirm that, what I think is happening is actually happening? So that this is a false postive?

With kind regards,
Geert

@prabhu
Copy link
Member

prabhu commented Jan 28, 2025

Agree, this is a false positive.

@Geertkok1
Copy link
Author

Agree, this is a false positive.

Thank you for confirming that this is a false positve.

Is there any way to prevent this from happening? Or does this need to be fixed elsewhere?

@prabhu
Copy link
Member

prabhu commented Jan 28, 2025

With v5 in maintenance mode, we have to live with this briefly. There is an environment variable -e VDB_APP_ONLY=true that can be used to pull down a vdb without any malware feeds. With v6, such false positives will be much lower since it defaults to purl and vers based comparison.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@prabhu prabhu

@cerrussell cerrussell

Labels
false-positive A wrongly identified vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@prabhu @Geertkok1 @cerrussell