Closed babuv2 closed 3 years ago
slandelle
commented
3 years ago An issue was discovered in fast_ber through v0.4. yy::yylex() in asn_compiler.hpp has a heap-based buffer over-read.
Completely unrelated to this project, which is pretty clear if you read the CVE.
babuv2
commented
3 years ago @slandelle, Just wanted to check if we can suppress this as false positive. Just wanted to confirm Thank you for your swift response
jchambers
commented
3 years ago I agree that the CVE is for an entirely unrelated project, but can you please say more about the tool you used to perform the scan? I'd at least like to understand how this came up as a false positive.
babuv2
commented
3 years ago Hi @jchambers,
It was tagged by https://jeremylong.github.io/DependencyCheck/dependency-check-maven/
This is the OWASP dependency check plugin that analyze all the dependencies of a project(In our case fast-uuid, which is a transitive dependency to the pushy library that we use) and tags the vulnerable libraries. The vulnerabilities are read from the NVD database.
The maven plugin gives more details on the same
Do let me know if you would need more details from my side. Will be happy to help
Thanks & Regards
Vivek
OWASP vulnerability scan has reported CVE-2020-23921 https://nvd.nist.gov/vuln/detail/CVE-2020-23921 on fast-uuid jar. Can we check if this is a real vulnerability for this library and if yes what can be done to mitigate the same