Open camelpunch opened 3 years ago
jamesrgrinter
commented
3 years ago This looks like the ones we just hit: dependency-check is getting confused by the versioning, and deciding that the rules that match the "milestone1" pre-release also apply to 1.4.0 (release).
Identifiers:
pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.4.0 (Confidence:Highest)
cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone1:*:*:*:*:*:* (Confidence:Highest) suppressetc.
jeremylong
commented
3 years ago This is going to be a more interesting FP to resolve and will take code changes. I may not get to this right away - but what you can do is add a suppression for the CVE to your current scans.
timpharo
commented
3 years ago We just fell into this trap too and i'm guessing suppression is still the way forward here as updating to the latest components (1.4.20 at the time of writing) still produces the FP. Any news on the update on this @jeremylong?
lathspell
commented
3 years ago Maybe you could you add an temporary entry to dependencycheck-base-hint.xml that filters this bug as it is apparently hard to fix?
kevcodez
commented
3 years ago Same issues with Kolin 1.4.30
sonique6784
commented
2 years ago any update on this one? I'm facing similar issues with Kotlin 1.4.32
False positive on kotlin-stdlib-jdk8-1.4.0.jar (and a few other core kotlin 1.4.0 libraries) - reported as:
cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone1:*:*:*:*:*:*cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone2:*:*:*:*:*:*cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone3:*:*:*:*:*:*cpe:2.3:a:jetbrains:kotlin:1.4.0:rc:*:*:*:*:*:*Last night, after a change that NIST made, the core Kotlin libraries started reporting as vulnerable to CVE-2020-15824 despite the advisory stating that 1.4.0 fixes the issue.