False Positive on apache-mime4j-core-0.8.6.jar

[horca]

False positive on library apache-mime4j-core-0.8.6.jar - reported as Apache James JPA server. See https://james.apache.org/download.cgi for different libraries from Apache James project.

Vulnerabilities

• CVE-2021-38542
• CVE-2021-40110
• CVE-2021-40111
• CVE-2021-40525

[jellisgwn]

This was hiding in the sea of other issues related to 'james'. Now that 7.0.1 is out i'll work on pushing the following suppression upstream:

    <suppress base="true">
        <notes><![CDATA[
        org.apache.james:apache-mime4j-core and apache-mime4j-core FPs
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.apache\.james/apache\-mime4j\-(core|dom)@.*$</packageUrl>
        <cve>CVE-2021-38542</cve>
        <cve>CVE-2021-40110</cve>
        <cve>CVE-2021-40111</cve>
        <cve>CVE-2021-40525</cve>
    </suppress>

[jellisgwn]

@jeremylong added these as the individual CVEs ... wary of doing anything more general due the recent issues with 'james'.

Let me know if you'd prefer a different approach and i'll update.

[aikebah]

I think it safe to expect NVD to register CVEs against a separate CPE for the mime4j project once the first CVE for one of its libraries would surface, so I my view it would be appropriate to suppress the James CPE as a whole. The project is recognized as an independent 'external' subproject on the Apache James project site. For each of the Mime4j, jSieve, jSPF and jDKIM it may be expected that an approprioate CPE will be used when CVEs for them arise as they are clearly independently governed/versioned from the main Apache James enterprise mail server.

[marcelstoer]

I've got another one that falls into the same category AFAICT. Separate issue?

mime4j-dom has no dependency to JDOM as per https://github.com/apache/james-mime4j.

Is the root cause that they both have "j" + "dom" in their name? JDOM vs ...j-dom?

[aikebah]

@marcelstoer entirely different FP. this issue is about CVEs of apache james mailserver, not about issues on jdom

[jellisgwn]

Have been meaning to provide an MR for this, it showed up for me as well. unfortunately other things have been getting in the way. Will attempt to provide an MR next week.

[marcelstoer]

@jellisgwn thanks, looking forward to that.

[jellisgwn]

@marcelstoer new ticket #4370 and PR created