Why is a vulnerability identified by the OWASP Dependency-Check tool for Mule Runtime 4.4.0 if it doesn't actually belong to that version?

Question

My mule application is built using mule runtime 4.4.0. In pom.xml of application, I have specified the "mule-http-connector@1.7.3" dependency as shown below:

        <dependency>
            <groupId>org.mule.connectors</groupId>
            <artifactId>mule-http-connector</artifactId>
            <version>1.7.3</version>
            <classifier>mule-plugin</classifier>
        </dependency>

To check for any vulnerabilities, I am using OWASP dependency-check plugin as shown below command:

mvn org.owasp:dependency-check-maven:8.2.1:check

The dependency-check html report generated using this plugin shows "mule-module-cors-kernel-1.1.2.jar" as vulnerable dependency which is a transitive dependency of "mule-http-connector@1.7.3" used by application.

Below vulnerabilities are identified:-

cpe:2.3️mulesoft:api_gateway:1.1.2:::::::*
cpe:2.3️mulesoft:mule_runtime:1.1.2:::::::*

Links:-

But it looks to me that these vulnerabilities are identified only in older versions of mule runtime, and not in mule runtime version 4.4.0.

Could someone assist me in determining if the report generated by the OWASP Dependency-Check tool is a false positive or not?

Furthermore, despite utilizing Mule Runtime 4.4.0, why is this vulnerability being flagged in the report?

If it is indeed a valid vulnerability, please specify reason and how can I go about fixing it?

Please use [code format](https://stackoverflow.com/editing-help#code) for code, errors and logs. Otherwise the indenting and spacing are not preserved and the information is confusion. — aled, Jun 26 '23 at 11:33

score 0 · Answer 1 · answered Jun 26 '23 at 11:39

The links that you shared about the vulnerabilities show that those vulnerabilities exist in older versions of Mule and were fixed in newer versions. Usually a vulnerability is published after giving the owner of the software a chance to patch it.

Security vulnerability tools are not perfect and can report false positives o miss a vulnerability. You need to be aware of their limitations when using them. You should report the issue to the creator of the tool.

If a software has a security vulnerability your best option is to find if a fix is published or contact the author of the software for a solution.

Why is a vulnerability identified by the OWASP Dependency-Check tool for Mule Runtime 4.4.0 if it doesn't actually belong to that version?

1 Answers1