simple application with a CVE-2022-45688 vulnerability## json.org CVE-2022-45688 false negative
The project illustrates [CVE-2022-45688](https://nvd.nist.gov/vuln/detail/CVE-2022-45688) in [json.org](https://mvnrepository.com/artifact/org.json/json/20220924) -- there is a simple application
`XML2JSONConverter` to read XML from input, convert it to JSON and
pretty-print it to the console.
Using malicious input, the application crashes with a stackoverflow.
The test case `CVE202245688Test` illustrates this behaviour, it
can be executed by running `mvn test`.
### Running Software Composition Analyses
There are several sh scripts to run different analyses, result resports can be found in `scan-results`.
### False Negative
The SCA report (including the onces set up as GitHub actions) fail to report [CVE-2022-45688](https://nvd.nist.gov/vuln/detail/CVE-2022-45688), although
the included test clearyly shows that it exists. The reason is that tools based on
meta-data analysis only (i.e. declared dependencies) dont realise that the project
uses a [shaded version of (a vulnerable version of) json.org](https://mvnrepository.com/artifact/org.json/json/20220924).
Note that shading is done manually, i.e. the Maven shade plugin is not used.
[Our recent research](https://arxiv.org/abs/2306.05534) suggests that this is a common source of sofwtare composition analysis
false negatives.
### Generating the SBOM
The `pom.xml` has a plugin to generate a [SBOM](https://www.cisa.gov/sbom) in [CycloneDX](https://cyclonedx.org/) format.
To do this, run `mvn cyclonedx:makePackageBom`, the SBOM can be found in
`target/` in `json` and `xml` format.
[4.0K] /data/pocs/57563888af5422503b6d33d1f69707bad2839686
├── [ 11K] LICENSE
├── [2.4K] pom.xml
├── [1.6K] README.md
├── [ 452] run-owasp.sh
├── [ 261] run-snyk.sh
├── [4.0K] scan-results
│ ├── [4.0K] dependency-check
│ │ └── [1.4K] dependency-check-report.json
│ └── [4.0K] snyk
│ └── [2.6K] snyk-report.json
└── [4.0K] src
├── [4.0K] main
│ └── [4.0K] java
│ ├── [4.0K] scabench
│ │ └── [ 402] XML2JSONConverter.java
│ └── [4.0K] shaded
│ └── [4.0K] org
│ └── [4.0K] json
│ ├── [9.4K] CDL.java
│ ├── [8.0K] Cookie.java
│ ├── [2.3K] CookieList.java
│ ├── [4.8K] HTTP.java
│ ├── [1.4K] HTTPTokener.java
│ ├── [ 57K] JSONArray.java
│ ├── [1.2K] JSONException.java
│ ├── [ 21K] JSONML.java
│ ├── [ 98K] JSONObject.java
│ ├── [ 558] JSONPointerException.java
│ ├── [ 11K] JSONPointer.java
│ ├── [ 662] JSONPropertyIgnore.java
│ ├── [ 748] JSONPropertyName.java
│ ├── [2.1K] JSONStringer.java
│ ├── [ 762] JSONString.java
│ ├── [ 16K] JSONTokener.java
│ ├── [ 14K] JSONWriter.java
│ ├── [1.9K] Property.java
│ ├── [ 34K] XML.java
│ ├── [ 14K] XMLParserConfiguration.java
│ ├── [ 11K] XMLTokener.java
│ └── [1.2K] XMLXsiTypeConverter.java
└── [4.0K] test
└── [4.0K] java
└── [4.0K] scabench
└── [ 477] CVE202245688Test.java
13 directories, 31 files