What are the explanations for the different results in scanning?

[moritzschmitz-oviva]

I did two different scans.

This is the scan before:

+-------------------------------------+------+-----------+---------------------------------------+---------------+---------------+---------------------------------------------+
| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE                               | VERSION       | FIXED VERSION | SOURCE                                      |
+-------------------------------------+------+-----------+---------------------------------------+---------------+---------------+---------------------------------------------+
| https://osv.dev/GHSA-389x-839f-4rhx | 5.5  | Maven     | io.netty:netty-common                 | 4.1.111.Final | 4.1.118.Final | ocs-keycloak-logging-event-listener/pom.xml |
| https://osv.dev/GHSA-xq3w-v528-46rv | 5.5  | Maven     | io.netty:netty-common                 | 4.1.111.Final | 4.1.115.Final | ocs-keycloak-logging-event-listener/pom.xml |
| https://osv.dev/GHSA-4g8c-wm8x-jfhw | 7.5  | Maven     | io.netty:netty-handler                | 4.1.111.Final | 4.1.118.Final | ocs-keycloak-logging-event-listener/pom.xml |
| https://osv.dev/GHSA-9623-mj7j-p9v4 | 6.4  | Maven     | io.quarkus:quarkus-vertx              | 3.15.1        | 3.24.0        | ocs-keycloak-logging-event-listener/pom.xml |
| https://osv.dev/GHSA-q4xq-445g-g6ch | 3.8  | Maven     | org.keycloak:keycloak-core            | 26.0.8        | --            | ocs-keycloak-logging-event-listener/pom.xml |
| https://osv.dev/GHSA-2935-2wfm-hhpv | 4.9  | Maven     | org.keycloak:keycloak-services        | 26.0.8        | --            | ocs-keycloak-logging-event-listener/pom.xml |
| https://osv.dev/GHSA-5jfq-x6xp-7rw2 | 5.4  | Maven     | org.keycloak:keycloak-services        | 26.0.8        | 26.2.2        | ocs-keycloak-logging-event-listener/pom.xml |
| https://osv.dev/GHSA-gvgg-2r3r-53x7 | 5.4  | Maven     | org.keycloak:keycloak-services        | 26.0.8        | 26.0.10       | ocs-keycloak-logging-event-listener/pom.xml |
| https://osv.dev/GHSA-hw58-3793-42gg | 8.2  | Maven     | org.keycloak:keycloak-services        | 26.0.8        | 26.2.2        | ocs-keycloak-logging-event-listener/pom.xml |
| https://osv.dev/GHSA-qj5r-2r5p-phc7 | 6.5  | Maven     | org.keycloak:keycloak-services        | 26.0.8        | --            | ocs-keycloak-logging-event-listener/pom.xml |
| https://osv.dev/GHSA-xhpr-465j-7p9q | 5.4  | Maven     | org.keycloak:keycloak-services        | 26.0.8        | 26.0.13       | ocs-keycloak-logging-event-listener/pom.xml |
| https://osv.dev/GHSA-j288-q9x7-2f5v | 6.5  | Maven     | commons-lang:commons-lang             | 2.6           | --            | ocs-sms-authenticator/pom.xml               |
| https://osv.dev/GHSA-389x-839f-4rhx | 5.5  | Maven     | io.netty:netty-common                 | 4.1.111.Final | 4.1.118.Final | ocs-sms-authenticator/pom.xml               |
| https://osv.dev/GHSA-xq3w-v528-46rv | 5.5  | Maven     | io.netty:netty-common                 | 4.1.111.Final | 4.1.115.Final | ocs-sms-authenticator/pom.xml               |
| https://osv.dev/GHSA-4g8c-wm8x-jfhw | 7.5  | Maven     | io.netty:netty-handler                | 4.1.111.Final | 4.1.118.Final | ocs-sms-authenticator/pom.xml               |
| https://osv.dev/GHSA-9623-mj7j-p9v4 | 6.4  | Maven     | io.quarkus:quarkus-vertx              | 3.15.1        | 3.24.0        | ocs-sms-authenticator/pom.xml               |
| https://osv.dev/GHSA-j288-q9x7-2f5v | 6.5  | Maven     | org.apache.commons:commons-lang3      | 3.14.0        | 3.18.0        | ocs-sms-authenticator/pom.xml               |
| https://osv.dev/GHSA-q4xq-445g-g6ch | 3.8  | Maven     | org.keycloak:keycloak-core            | 26.0.8        | --            | ocs-sms-authenticator/pom.xml               |
| https://osv.dev/GHSA-2p82-5wwr-43cw | 5.4  | Maven     | org.keycloak:keycloak-ldap-federation | 26.0.8        | 26.0.10       | ocs-sms-authenticator/pom.xml               |
| https://osv.dev/GHSA-2935-2wfm-hhpv | 4.9  | Maven     | org.keycloak:keycloak-services        | 26.0.8        | --            | ocs-sms-authenticator/pom.xml               |
| https://osv.dev/GHSA-5jfq-x6xp-7rw2 | 5.4  | Maven     | org.keycloak:keycloak-services        | 26.0.8        | 26.2.2        | ocs-sms-authenticator/pom.xml               |
| https://osv.dev/GHSA-gvgg-2r3r-53x7 | 5.4  | Maven     | org.keycloak:keycloak-services        | 26.0.8        | 26.0.10       | ocs-sms-authenticator/pom.xml               |
| https://osv.dev/GHSA-hw58-3793-42gg | 8.2  | Maven     | org.keycloak:keycloak-services        | 26.0.8        | 26.2.2        | ocs-sms-authenticator/pom.xml               |
| https://osv.dev/GHSA-qj5r-2r5p-phc7 | 6.5  | Maven     | org.keycloak:keycloak-services        | 26.0.8        | --            | ocs-sms-authenticator/pom.xml               |
| https://osv.dev/GHSA-xhpr-465j-7p9q | 5.4  | Maven     | org.keycloak:keycloak-services        | 26.0.8        | 26.0.13       | ocs-sms-authenticator/pom.xml               |
+-------------------------------------+------+-----------+---------------------------------------+---------------+---------------+---------------------------------------------+

This is the diff:

diff --git a/pom.xml b/pom.xml
index 09ca126..2fed7b2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -15,7 +15,7 @@
   <properties>
     <version.httpclient>4.5.14</version.httpclient>
     <version.jboss-logging>3.6.0.Final</version.jboss-logging>
-    <version.commons-lang>2.6</version.commons-lang>
+    <version.commons-lang3>3.18.0</version.commons-lang3>
     <commons-codec.version>1.17.0</commons-codec.version>
     <twilio.version>10.4.1</twilio.version>
   </properties>
@@ -66,9 +66,9 @@
       <scope>provided</scope>
     </dependency>
     <dependency>
-      <groupId>commons-lang</groupId>
-      <artifactId>commons-lang</artifactId>
-      <version>${version.commons-lang}</version>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-lang3</artifactId>
+      <version>${version.commons-lang3}</version>
     </dependency>
     <!-- Twilio SMS Gateway Dependency - Downgraded back to 7.x.x see IDP-11 -->
     <dependency>
diff --git a/ProviderImpl.java b/ProviderImpl.java
index dd6e7c9..affa5ab 100644
--- a/ProviderImpl.java
+++ b/ProviderImpl.java
@@ -2,7 +2,7 @@ package com.oviva.sso.keycloak.authenticator;
 
 import java.security.SecureRandom;
 import java.util.Random;
-import org.apache.commons.lang.RandomStringUtils;
+import org.apache.commons.lang3.RandomStringUtils;
 
 public class OneTimePasswordProviderImpl implements OneTimePasswordProvider {
 
diff --git a/pom.xml b/pom.xml
index 8bb1dbc..7689f53 100644
--- a/pom.xml
+++ b/pom.xml
@@ -92,6 +92,25 @@
         <version>${auto-service.version}</version>
       </dependency>
 
+      <!-- Override vulnerable Netty versions -->
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-common</artifactId>
+        <version>4.1.118.Final</version>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-handler</artifactId>
+        <version>4.1.118.Final</version>
+      </dependency>
+
+      <!-- Override vulnerable Quarkus version -->
+      <dependency>
+        <groupId>io.quarkus</groupId>
+        <artifactId>quarkus-vertx</artifactId>
+        <version>3.24.0</version>
+      </dependency>
+
       <dependency>
         <groupId>org.junit</groupId>
         <artifactId>junit-bom</artifactId>

This is the scan after:

No issues found

This seems unintuitive at least, what is happening?

[cuixq]

would you able to share the complete pom.xml files? if that is not possible, how about the complete dependencies section (including dependency management)?

also, I assume the diffs listed above come from: ocs-sms-authenticator/pom.xml (the one with commons-lang dependency) and ocs-keycloak-logging-event-listener/pom.xml (the one with overrides). For these two pom files, is there any project inheritance (i.e. one project is the parent of another)?

[cuixq]

copy over the comment in #2079:

In the discussion attached there is the quarkus-vertx dependency explicitly mentioned. It cannot be found on deps.dev.
As a result in V2.1 the run fails. In v2.2 it doesn't fail no more, but it also doesn't list the other vulnerabilities any more.

[cuixq]

@moritzschmitz-oviva could you also try to run osv-scanner with the native registry client, i.e. with --data-source=native specified? With this flag, osv-scanner would fetch projects from the Maven Central repository instead of deps.dev API.

also you mentioned that the run failed in v2.1 but you also did present the scan result before pom.xml change, could you clarify this a bit?

for the question whether #2079 is a bug: I don't think so. The reason behind that PR is that if the transitive scanning fails we probably won't have any dependencies extracted and we can do nothing; but if we fallback to the offline extractor, at least some dependencies will be extracted so we can try our best to match the vulnerabilities.

[moritzschmitz-oviva]

@cuixq I set up a project here as simple as possible: https://github.com/moritzschmitz-oviva/osv-scanner-test.

[cuixq]

The failure is due to package io.quarkus:quarkus-vertx version 3.24.0 not found in deps.dev. Running OSV-Scanner with --data-source=native is able to scan the manifests with the native registry client and hope this solves the problem.

I have also filed a bug with deps.dev google/deps.dev#290 on this data quality issue.

[moritzschmitz-oviva]

Exactly, I made the same discovery.

From my point of view, this requires better handling, though.

1. In case a dependency cannot be found, emit a warning at least that the scan was incomplete.
2. And more importantly, keep resolving the other dependencies (if that is technically possible, of course).

If you agree with this, I am happy to make a contribution.

[cuixq]

I think how to handle a dependency not found during dependency resolution depends on how that ecosystem handles that. If the behaviour that you suggest is what mvn does, this is probably something to improve with the deps.dev Maven resolver - feel free to make contributions.

From osv-scanner's point of view, one potential improvement may be to log the error message if the transitive scanning fails and we fall back to the offline one so at least people know not the whole dependency graph is being scanned.