search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.44k stars 1.28k forks source link

False positives on SNMP4J, SNMP4J-Agent and related APIs #1248

Closed oosnmp closed 6 years ago

oosnmp commented 6 years ago

Reporting False Positives

False positives are reported on all SNMP4J APIs in all versions:

        <dependency>
            <groupId>org.snmp4j</groupId>
            <artifactId>snmp4j</artifactId>
        </dependency>
        <dependency>
            <groupId>org.snmp4j</groupId>
            <artifactId>snmp4j-agent</artifactId>
        </dependency>
        <dependency>
            <groupId>org.snmp4j</groupId>
            <artifactId>snmp4j-agentx</artifactId>
        </dependency>
        <dependency>
          <groupId>org.snmp4j.smi</groupId>
         <artifactId>snmp4j-smi-pro</artifactId>
        </dependency>
        <dependency>
          <groupId>org.snmp4j</groupId>
          <artifactId>snmp4j-model</artifactId>
        </dependency>

CVE is: https://nvd.nist.gov/vuln/detail/CVE-2015-5621

CPE is https://nvd.nist.gov/products/cpe/search/results?keyword=cpe%3a2.3%3aa%3anet-snmp%3anet-snmp%3a*%3a*%3a*%3a*%3a*%3a*%3a*%3a*&status=FINAL,DEPRECATED&orderBy=CPEURI&namingFormat=2.3

jeremylong commented 6 years ago

Thanks for the report. I'll try to sweep through all the FP reports soon and include them in the next release.

lock[bot] commented 6 years ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.