Why is infected versions incorrect?

0
votes

My application code was recently scanned by JFrog XRay and it produced a result stating that the in use version of Bouncy Castle BKS version 1 keystore has a high vulnerability. The version in use by my application is version 1.61, aka “source version = 1.61”. XRay reports that infected versions of this library are <= 1.46 and >= 1.49, and is the reason XRay caught this. This means that only versions between 1.46 and 1.49 are not infected, everything else is, and 1.61 is outside that scope. That cannot be correct. The NVD site (https://nvd.nist.gov/vuln/detail/CVE-2018-5382) states that all versions up to 1.47 (excluding) are infected. Meaning that the in use version (1.61) is not part of the infected list as XRay is stating. There is a direct conflict between what XRay is stating and what the NVD is stating.

I have little contact with the administrator of the XRay vulnerability database. I've asked them to check certain things, but to now avail.

I'm hoping someone can help me understand what the problem could be so I can relay that information to the XRay administrator.

1
artifactoryjfrog-xray

1 Answers

5
votes

I am part of JXRay (XRay vulnerability database) maintaining team at JFrog.

Looking at the references from NVD, in the vulnerability note released by US-CERT (https://www.kb.cert.org/vuls/id/306792/), they write that the problem is in the “BKS keystore format version 1 (BKS-V1)” and this format is supported in all versions before 1.47, and the support in this format was brought back in 1.49 and on. That is why version 1.49 and on is possibly affected (depend on the used format).

Please feel free to contact us for further questions through JFrog’s support.