CVE-2022-45688

Transform your owasp vulnerabilities into xml supression

Owasp to XML Supression Convert your owasp vulnerabilities string into XML supressions automatically How to use I don't want to transform this code into a package, so you'll need: To clone the repo and install deps: pnpm i Create a inputtxt file with the owasp result: aws-json-protocol-217267jar (pkg:maven/softwareamazon

SoftwareSecurity by Francis Cottrell-Eshaghi The client The client in this document is Artemis Financial Artemis Financial had a software security issue that they wanted the developer, Francis Cottrell-Eshaghi, to address The specific issue or requirement mentioned in this document is related to secure software practices and refactoring code to enhance security The client wa

a scenario based on CVE-2022-25845 yielding a TP for metadata based SCA but a FN if the callgraph is used

jsonorg CVE-2022-45688 true & false positive (WTF ??) The project contains a fastjson dependency with CVE-2022-25845 The vulnerability occurs as markup in JSON is interpreted as Java beans, ie classes are instantiated and properties are set by executing setter methods This is done using reflection If a class is in the classpath where setters can trigger behaviour

simple application with a (unreachable!) CVE-2022-45688 vulnerability

jsonorg CVE-2022-45688 false positive The project contains a jsonorg dependency with CVE-2022-45688 It does invoke the vulnerable class, but the input data is sanitised (with a simple method of counting < characters, therefore estimating the max depth of the DOM tree to be generated, and enforcing a precondition that this must be less than 1000) and the vulnerability

simple application with a (unreachable!) CVE-2022-45688 vulnerability

jsonorg CVE-2022-45688 false positive The project contains a jsonorg dependency with CVE-2022-45688 It does invoke the vulnerable class, but the input data is hardcoded and not suitable to trigger a DoS attack The vulnerability can therefore not be exploited for a DoS attack Both metadata-based and callgraph-based software composition analyses will produce a false positive

simple application with a CVE-2022-45688 vulnerability

jsonorg CVE-2022-45688 true positive The project illustrates CVE-2022-45688 in jsonorg -- there is a simple application XML2JSONConverter to read XML from input, convert it to JSON and pretty-print it to the console Using malicious input, the application crashes with a stackoverflow The test case CVE202245688Test illustrates this behaviour, it can be executed by running mv

ShadeDetector -- A Tool to Detect Vulnerabilities in Cloned or Shaded Components Overview The tool takes the coordinates of Maven artifact (GAV - GroupId + ArtifactId + Version) and a testable proof-of-vulnerability (TPOV) project as input, and will infer and report a list of artifacts that are cloning / shading the input artifact, and are also exposed to the same vulnerability

simple application with a CVE-2022-45688 vulnerability

jsonorg CVE-2022-45688 false negative The project illustrates CVE-2022-45688 in jsonorg -- there is a simple application XML2JSONConverter to read XML from input, convert it to JSON and pretty-print it to the console Using malicious input, the application crashes with a stackoverflow The test case CVE202245688Test illustrates this behaviour, it can be executed by running m

anonymous version of shade detector

ShadeDetector -- A Tool to Detect Vulnerabilities in Cloned or Shaded Components Overview The tool takes the coordinates of Maven artifact (GAV - GroupId + ArtifactId + Version) and a testable proof-of-vulnerability (POV) project as input, and will infer and report a list of artifacts that are cloning / shading the input artifact, and are also exposed to the same vulnerability

SBOM Benchmark Projects This repository contains benchmark projects for testing Software Bill of Materials (SBOM) generation tools The benchmarks include scenarios with both vulnerable dependencies and false positives Name Version Format Run Instructions Report Location cyclonedx-maven-plugin 2710 CycloneDX mvn cyclonedx:makePackageBom <projecthome>/ta