incorrect dependency details for rust projects

[Phate6660]

For example, here is the latest scan from my rsPhate repo:

                             Dependency Scan Results (rust)                              
╔══════════════════════╤═════════╤════════════╤═════════╤════════════╤══════════╤═══════╗
║ Id                   │ Package │ Used?      │ Version │ Fix        │ Severity │ Score ║
║                      │         │            │         │ Version    │          │       ║
╟──────────────────────┼─────────┼────────────┼─────────┼────────────┼──────────┼───────╢
║ CVE-2020-25576       │ rand    │ N/A        │ <0.4.2  │ 0.4.2      │ CRITICAL │   9.8 ║
║ CVE-2020-7465        │ mpd     │ N/A        │ <5.9    │ 5.9        │ CRITICAL │   9.8 ║
║ CVE-2020-7466        │ mpd     │ N/A        │ <5.9    │ 5.9        │ HIGH     │   7.5 ║
║ CVE-2017-16138       │ mime    │ N/A        │ <1.4.1  │ 1.4.1      │ HIGH     │   7.5 ║
╚══════════════════════╧═════════╧════════════╧═════════╧════════════╧══════════╧═══════╝

The latest version of the mpd crate is 0.0.12, so I'm not exactly sure where 5.9 is coming from.

And it thinks that my rand version is less than 0.4.2, when it's actually 0.7.3.

---

This is unrelated, but all scans fail do to being unable to upload the report:

Error: No SARIF files found to upload in "reports".
Error: No SARIF files found to upload in "reports".
    at Object.upload (/home/runner/work/_actions/github/codeql-action/v1/lib/upload-lib.js:82:19)
    at run (/home/runner/work/_actions/github/codeql-action/v1/lib/upload-sarif-action.js:29:46)

[prabhu]

Hi @Phate6660

Thank you for reporting the issue. On checking Cargo.lock I can see the vulnerable version of rand mentioned here - https://github.com/Phate6660/rsPhate/blob/master/Cargo.lock#L1212 . Have to read up on Cargo lock files to find which version would get used if multiple entries are present. Will you be able to point in the right direction here?

mpd and mime findings are false positive. Scan uses dep-scan which uses NVD as a data source. Both mpd and mime has the group with suffix _project. Eg: mpd_project. In case of CVE-2020-25576 rand_project turned out to be the group name for a legitimate crate package. However, clearly this suffix is creating FP in case of mpd and mime.

What I can do is for rust projects try to use rust advisory-db as a datasource instead of NVD. The change should happen here - https://github.com/AppThreat/vulnerability-db/tree/master/vdb/lib . Will you be able to contribute a PR?

Regarding upload action failures, the codeql upload step that is mentioned in the workflow is refusing to work without any SARIF files. I added some logic to create an empty sarif file here - https://github.com/ShiftLeftSecurity/sast-scan/blob/master/scan#L580 . Looks like it has be extended to cover languages such as rust for which scan doesn't have any sast tool available.

To summarize, there is quite a bit of work involved to support rust properly at this stage. Will keep this issue open and update with the progress made.

[prabhu]

github/codeql-action#282

[prabhu]

Package rofl is indeed pulling the old version of rand here - https://github.com/Phate6660/rsPhate/blob/master/Cargo.lock#L1427

[prabhu]

I can see that build failures due to missing sarif files is resolved now with the latest commit.

[llucax]

FYI, this is still failing due to the absence of reports for me: https://github.com/noclick-me/noclickd/pull/22/checks?check_run_id=1650729881

[prabhu]

I can see what is going on. Fix coming shortly but might ask for your help to retest

[prabhu]

@llucax Can you rerun the github action workflow?

[llucax]

Sorry for the late reply, I did and it worked (as in the action didn't fail with an error). Thanks for the super fast reply!

On an unrelated note, I was trying this action thinking that it will report any found vulnerabilities in dependencies in GitHub's Security tab as the ones you receive with officially supported languages (like ruby), but I guess if the report that is uploaded to GitHub is empty, that won't happen?

[prabhu]

@llucax Glad it fixed the errors.

Depscan results are currently not integrated with GitHub code scanning. I wish GitHub would partner with us in opening the dependency scan results tab instead of keeping it locked to dependabot alone.

Some folks like anchore convert depscan findings to SARIF format to make it appear in code scanning. I'm not in favor of this workaround although this is kinda possible. The json reports produced by scan can be consumed to have any custom workflow. For eg: https://slscan.io/en/latest/integrations/github-actions/ here there is an upload artifact step to upload all reports. Some users have built custom scripts for notifications and uploading reports to s3 bucket and so on.

Hope this helps!