Skip to content

fix(analyzer): detect OpenSSL 3.x in OpenSSLAnalyzer#8484

Open
shawnjohnjr wants to merge 1 commit into
dependency-check:mainfrom
shawnjohnjr:fix/openssl-3x-analyzer
Open

fix(analyzer): detect OpenSSL 3.x in OpenSSLAnalyzer#8484
shawnjohnjr wants to merge 1 commit into
dependency-check:mainfrom
shawnjohnjr:fix/openssl-3x-analyzer

Conversation

@shawnjohnjr
Copy link
Copy Markdown

@shawnjohnjr shawnjohnjr commented May 6, 2026

Summary

  • OpenSSLAnalyzer cannot detect OpenSSL 3.x sources today: 3.x defines OPENSSL_VERSION_NUMBER as a macro expression (not a literal hex constant), the existing regex never matches, and the dependency is dropped via engine.removeDependency(). As a result a scan over an OpenSSL 3.x source tree produces no CPE and never matches NVD CVEs.
  • This adds a second pattern that captures OPENSSL_VERSION_STR "X.Y.Z" (introduced in OpenSSL 3.0) and tries it before falling back to the legacy OPENSSL_VERSION_NUMBER hex pattern, so 1.x detection is preserved.
  • Adds a test fixture (core/src/test/resources/openssl-3x/opensslv.h from OpenSSL 3.5.6) and a parallel test case asserting 3.5.6 is extracted.

Reproducer (before this change)

Scan an OpenSSL 3.5.6 source tree:

dependency-check --scan path/to/openssl-3.5.6 --enableExperimental --format JSON ...

The resulting JSON has no dependency for opensslv.h and no cpe:2.3:a:openssl:openssl:3.5.6:* identifier. After this change the same scan produces:

filePath: .../include/openssl/opensslv.h
versionEvidence.Version Constant = 3.5.6   [HIGH]
softwareIdentifiers: [pkg:generic/openssl@3.5.6]
vulnerabilityIds: [cpe:2.3:a:openssl:openssl:3.5.6:*:*:*:*:*:*:*]

Test plan

  • mvn -pl core -am test -Dtest=OpenSSLAnalyzerTest -Dsurefire.failIfNoSpecifiedTests=false — 5/5 pass (existing 4 + new testOpenSSL3xVersionHeaderFile)
  • End-to-end CLI scan against an OpenSSL 3.5.6 source tree confirms cpe:2.3:a:openssl:openssl:3.5.6 is now attached to the opensslv.h dependency

@boring-cyborg boring-cyborg Bot added core changes to core tests test cases labels May 6, 2026
@chadlwilson chadlwilson requested a review from Copilot May 6, 2026 15:48
Copilot AI reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates OpenSSLAnalyzer so it can correctly extract versions from OpenSSL 3.x source headers, where OPENSSL_VERSION_NUMBER is no longer a literal hex constant and therefore doesn’t match the legacy regex. This ensures OpenSSL 3.x scans produce version evidence and identifiers (e.g., CPE/PURL), enabling NVD CVE matching.

Changes:

  • Add detection for OpenSSL 3.x by parsing OPENSSL_VERSION_STR "X.Y.Z" before falling back to the legacy OPENSSL_VERSION_NUMBER pattern.
  • Add an OpenSSL 3.5.6 opensslv.h test fixture under core test resources.
  • Add a new unit test asserting 3.5.6 is extracted from the OpenSSL 3.x header.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java Adds a new regex path to extract OpenSSL 3.x versions via OPENSSL_VERSION_STR, preserving the existing 1.x detection fallback.
core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java Adds a unit test covering OpenSSL 3.x header parsing (3.5.6).
core/src/test/resources/openssl-3x/opensslv.h Introduces a real-world OpenSSL 3.5.6 opensslv.h fixture for regression coverage.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@chadlwilson
Copy link
Copy Markdown
Collaborator

chadlwilson commented May 7, 2026

This analyzer is super curious to me given how specific it is. I wonder how many people use it - are you a user? 😅

@shawnjohnjr
fix(analyzer): detect OpenSSL 3.x in OpenSSLAnalyzer
a3ae98f 
OpenSSL 3.x defines OPENSSL_VERSION_NUMBER as a macro expression
rather than a literal hex constant, so the existing regex never
matches and the analyzer drops the dependency. As a result,
3.x source trees produce no CPE and never match NVD CVEs.

Add a second pattern that captures OPENSSL_VERSION_STR "X.Y.Z"
(introduced in 3.0); fall back to the legacy NUMBER pattern for
1.x and earlier. Adds a test fixture/case using opensslv.h from
OpenSSL 3.5.6.
@shawnjohnjr shawnjohnjr force-pushed the fix/openssl-3x-analyzer branch from 089d77b to a3ae98f Compare May 13, 2026 00:27
@shawnjohnjr
Copy link
Copy Markdown
Author

shawnjohnjr commented May 13, 2026

This analyzer is super curious to me given how specific it is. I wonder how many people use it - are you a user? 😅

Yes. 💯

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

core changes to core tests test cases

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shawnjohnjr @chadlwilson