[FP]: commons-collections:commons-collections:3.2.2

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.42k stars 1.28k forks source link

[FP]: commons-collections:commons-collections:3.2.2 #4326

Closed abhimankhutia closed 2 years ago

abhimankhutia commented 2 years ago

Package URl

pkg:maven/commons-collections/commons-collections@3.2

CPE

cpe:2.3:a:apache:commons_collections:3.2:::::::*

CVE

CVE-2017-15708

ODC Integration

No response

ODC Version

6.5.3

Description

CVE-2017-15708 is wrongly reported for commons-collections:commons-collections:3.2.2, it should have been reported for Apache Synapse s/w component.

github-actions[bot] commented 2 years ago

Maven Coordinates

<dependency>
   <groupId>commons-collections</groupId>
   <artifactId>commons-collections</artifactId>
   <version>3.2</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4326
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/commons-collections/commons-collections@.*$</packageUrl>
   <cpe>cpe:/a:apache:commons_collections</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2114251647

aikebah commented 2 years ago

Created an issue upstream at OSSINDEX: https://github.com/OSSIndex/vulns/issues/270

Janpopan commented 2 years ago

@abhimankhutia can you try ODC 7.0.4 if this issue is solved there?

aikebah commented 2 years ago

@Janpopan the FP workflow already ran an analysis with ODC 7.0.4 that surfaces this FP due to OSSINDEX returning the CVE for commons-collections, which is why I opened the ticket at OSSINDEX because it's better to fix the source rather than having ODC suppress it.

aikebah commented 2 years ago

Appears to have been resolved in ossindex in the meantime