ktlint ruleset shows up as high severity issue when running a dependency check.
pinterest/ktlint#512
The reason is that the ktlint module packages as ktlint.jar and ktlint-core.jar, which results in a false positive because it thinks version 0.0.5 (also 0.0.12) is below ktlints fix version 0.30.0 if I am not mistaken.
To Reproduce
Run plugin org.owasp.dependencycheck 7.1.1 and see it fail
Expected behavior
It shouldn't show as high severity issue which is a false-positive
Additional information
core-ktlint-0.0.5.jar | NVDCVE-2019-1010260 | High | CWE-319
File Path /var/lib/jenkins/.gradle/caches/modules-2/files-2.1/com.twitter.compose.rules/core-ktlint/0.0.5/f9f346f5a1fd509f84e53775ec52f18514c4ee42/core-ktlint-0.0.5.jar
SHA-1 f9f346f5a1fd509f84e53775ec52f18514c4ee42
SHA-256 5c8976a039ecedeb10de5fa44b56e1014b71badbcd1404c89c9643221f173462
Description Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.
ktlint-0.0.5.jar | NVDCVE-2019-1010260 | High | CWE-319
File Path | /var/lib/jenkins/.gradle/caches/modules-2/files-2.1/com.twitter.compose.rules/ktlint/0.0.5/7954c9ff6e47f94dce73bc6f534c22f66bdb34fb/ktlint-0.0.5.jar
SHA-1 7954c9ff6e47f94dce73bc6f534c22f66bdb34fb
SHA-256 7e57dc0e98863516afacac94b6ffdea50b6226e1fae5f280581da642b2c6d7b0
Description Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.
ktlint ruleset shows up as high severity issue when running a dependency check.
pinterest/ktlint#512
The reason is that the ktlint module packages as ktlint.jar and ktlint-core.jar, which results in a false positive because it thinks version 0.0.5 (also 0.0.12) is below ktlints fix version 0.30.0 if I am not mistaken.
To Reproduce
Run plugin org.owasp.dependencycheck 7.1.1 and see it fail
Expected behavior
It shouldn't show as high severity issue which is a false-positive
Additional information
core-ktlint-0.0.5.jar | NVDCVE-2019-1010260 | High | CWE-319
File Path /var/lib/jenkins/.gradle/caches/modules-2/files-2.1/com.twitter.compose.rules/core-ktlint/0.0.5/f9f346f5a1fd509f84e53775ec52f18514c4ee42/core-ktlint-0.0.5.jar
SHA-1 f9f346f5a1fd509f84e53775ec52f18514c4ee42
SHA-256 5c8976a039ecedeb10de5fa44b56e1014b71badbcd1404c89c9643221f173462
Description Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.
ktlint-0.0.5.jar | NVDCVE-2019-1010260 | High | CWE-319
File Path | /var/lib/jenkins/.gradle/caches/modules-2/files-2.1/com.twitter.compose.rules/ktlint/0.0.5/7954c9ff6e47f94dce73bc6f534c22f66bdb34fb/ktlint-0.0.5.jar
SHA-1 7954c9ff6e47f94dce73bc6f534c22f66bdb34fb
SHA-256 7e57dc0e98863516afacac94b6ffdea50b6226e1fae5f280581da642b2c6d7b0
Description Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.