## CVE-2022-45688 true & false positive (WTF ??)

The project contains a [fastjson]( dependency with [CVE-2022-25845](

The vulnerability occurs as markup in JSON is interpreted as Java beans, i.e. classes are instantiated and properties are 
set by executing setter methods. This is done using reflection. If a class is in the classpath where setters 
can trigger behaviour like executing code (in the example, this class is `Trigger`, the respective input is `CVE-2022-25845.json`), then this can be exploited. 

The interesting part is the use of reflection here, as shown in the below stacktrace from running the included test used to demonstrate the

setName:11, Trigger
invoke0:-1, NativeMethodAccessorImpl (jdk.internal.reflect)
invoke:62, NativeMethodAccessorImpl (jdk.internal.reflect) [2]
invoke:43, DelegatingMethodAccessorImpl (jdk.internal.reflect)
invoke:566, Method (java.lang.reflect)
setValue:167, FieldDeserializer (
deserialze:155, ThrowableDeserializer (
parseObject:405, DefaultJSONParser (
parse:1430, DefaultJSONParser (
parse:1390, DefaultJSONParser (
parse:181, JSON (
parse:191, JSON (
parse:147, JSON (
main:18, CheckJSON (scabench)
confirmCVE202225845:39, ConfirmVulnerabilitiesTests (scabench)

Standard meta-data based SCA have no problem identifying the vulnerability, this is "business-as-usual". However, callgraph based tools
are likely to miss it as callgraph constructions generally fail to model reflective calls. In this sense, this is 
both a true positive and a false negative, depending on the analyses being used. 

Note that there is a proof-of-vulnerability test to demonstrate the vulnerability, this test (and therefore the build with `mvn test`)
fails. See []( for how the test works.

### Running Software Composition Analyses

There are several sh scripts to run different analyses, result resports can be found in `scan-results`.

### Generating the SBOM

The `pom.xml` has a plugin to generate a [SBOM]( in [CycloneDX]( format.
To do this, run `mvn cyclonedx:makePackageBom`, the SBOM can be found in
`target/` in `json` and `xml` format.