Open camelpunch opened 3 years ago
This looks like the ones we just hit: dependency-check is getting confused by the versioning, and deciding that the rules that match the "milestone1" pre-release also apply to 1.4.0 (release).
Identifiers:
pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.4.0 (Confidence:Highest)
cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone1:*:*:*:*:*:* (Confidence:Highest) suppress
etc.
This is going to be a more interesting FP to resolve and will take code changes. I may not get to this right away - but what you can do is add a suppression for the CVE to your current scans.
We just fell into this trap too and i'm guessing suppression is still the way forward here as updating to the latest components (1.4.20 at the time of writing) still produces the FP. Any news on the update on this @jeremylong?
Maybe you could you add an temporary entry to dependencycheck-base-hint.xml that filters this bug as it is apparently hard to fix?
Same issues with Kolin 1.4.30
any update on this one? I'm facing similar issues with Kotlin 1.4.32
False positive on kotlin-stdlib-jdk8-1.4.0.jar (and a few other core kotlin 1.4.0 libraries) - reported as:
cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:jetbrains:kotlin:1.4.0:rc:*:*:*:*:*:*
Last night, after a change that NIST made, the core Kotlin libraries started reporting as vulnerable to CVE-2020-15824 despite the advisory stating that 1.4.0 fixes the issue.