Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The tool gave 7z.dll a clean go #7269

Open
mikerabat opened this issue Dec 23, 2024 · 10 comments
Open

The tool gave 7z.dll a clean go #7269

mikerabat opened this issue Dec 23, 2024 · 10 comments
Labels

Comments

@mikerabat
Copy link

In our project we provide an old version of the 7z.dll to compress decompress streams. The dll is provided in our applications program directory.

According to https://nvd.nist.gov/vuln/detail/CVE-2024-11477
there is a critical vulnarability but the command line tool gave it a pass.

The command line I used was:

dependency-check.bat --project "Darwin" --scan "C:\Program Files (x86)\Darwin2"

where Darwin2 is our Deskop application....

Is there anything I did wrong or is this test not in the database?

kind regards

@mikerabat mikerabat added the bug label Dec 23, 2024
@chadlwilson
Copy link
Contributor

I didn't think ODC could scan arbitrary native DLLs - only .NET assemblies packaged as DLL where the metadata can be exracted. Is there an analyzer you'd expect to detect this? https://jeremylong.github.io/DependencyCheck/analyzers/

@mikerabat
Copy link
Author

Actually it extracts only the file version and such from any exe/dll. The 7z dll we use is pretty old (9.20) which clearly should show the problem... Accoding to the Nist entry the vulnarabiliyt is up to version 24.07

@chadlwilson
Copy link
Contributor

The NVD entry is irrelevant if the project has no mechanism to match a binary to a product enumeration and version from reliable metadata.

The question still applies as to which analyzer you expect to work, as i dont see anything documented that implies this might work.

@mikerabat
Copy link
Author

First... sorry I'm new to that tool and was tasked to anaylze our binaries and dependencies...

I would have thought that the assembly-analyzer does the work using GrokAssembly.exe tool - which as far as I can see does it exactly that - extracting vendor and version information...

@chadlwilson
Copy link
Contributor

Yeah, .NET assemblies are different in structure to unmanaged C/C++ DLLs (as 7zip is written in).

I might be wrong, but I don't think ODC does what you're looking for, and personally not aware of other tools that handle arbitrary Windows DLLs consistently, other than commercial ones which maintain their own databases.

@jeremylong jeremylong added question and removed bug labels Dec 26, 2024
@jeremylong
Copy link
Owner

You should take a look at https://jeremylong.github.io/DependencyCheck/general/internals.html

The documentation will explain how ODC works and why arbitrary DLLs are difficult to scan.

@mikerabat
Copy link
Author

mikerabat commented Jan 5, 2025 via email

@jeremylong
Copy link
Owner

look at the CPE, how is ODC supposed to go from 7z.dll to cpe:2.3:a:7-zip:7-zip:*:*:*:*:*:*:*:*? '7z' != '7-zip'. Where is the "version" information in 7z.dll?

We accept PRs...

@mikerabat
Copy link
Author

I see... so you are saying that the main problem is that it states that the actual dll is not 7z.dll but rather 7-zip.dll is expected?

From a laymans perspective (who uses the tool the first time):
However the properties of the 7z.dll show "7-Zip" as "Product name" and the Version (e.g. 9.20 in my case) in the "Version field.
These fields are actually extracted by the GrokAssembly.exe tool via the standard windows api "GetVersionInfo" ... The list of matching CPEs also adds the specific version....

@jeremylong
Copy link
Owner

can you copy and paste the evidence section?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants