search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.45k stars 1.28k forks source link

[FP]: quarkus-keycloak-authorization gets flagged with keycloak CVEs #5089

Closed Felk closed 1 year ago

Felk commented 1 year ago

Package URl

pkg:maven/io.quarkus/quarkus-keycloak-authorization@2.14.1.Final

CPE

cpe:2.3:a:keycloak:keycloak:2.14.1:::::::, cpe:2.3:a:quarkus:quarkus:2.14.1:::::::, cpe:2.3:a:redhat:keycloak:2.14.1:::::::*

CVE

CVE-2022-1245, CVE-2021-20195, CVE-2019-14837, CVE-2017-12161, CVE-2019-10199, CVE-2020-1714, CVE-2020-1718, CVE-2018-14637, CVE-2019-10201, CVE-2020-14389, CVE-2021-3827, CVE-2019-14832, CVE-2020-10758, CVE-2020-14366, CVE-2021-3513, CVE-2021-3632, CVE-2021-3637, CVE-2021-20202, CVE-2019-10169, CVE-2019-10170, CVE-2020-27838, CVE-2022-1466, CVE-2021-20323, CVE-2020-1758, CVE-2020-1744, CVE-2019-10157, CVE-2020-1698, CVE-2020-1697, CVE-2020-1725, CVE-2020-1727, CVE-2020-1728, CVE-2020-10770, CVE-2018-10912, CVE-2020-14302, CVE-2020-1694, CVE-2019-3875, CVE-2020-10776, CVE-2019-14820, CVE-2020-1724, CVE-2021-3856, CVE-2020-27826, CVE-2019-3868

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

7.3.1

Description

quarkus-keycloak-authorization-2.14.1.Final.jar gets flagged with a bunch of CVEs that don't app,y to quarkus' keycloak dependency but to keycloak itself. Seems like it accidentally matches keycloak CPEs?

This minimal suppression works for me:

<suppress>
  <!-- The quarkus-keycloak-authorization dependency erroneously matches some keycloak CPEs -->
  <packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus-keycloak-authorization@.*$</packageUrl>
  <cpe>cpe:/a:keycloak:keycloak</cpe>
  <cpe>cpe:/a:redhat:keycloak</cpe>
</suppress>
github-actions[bot] commented 1 year ago

Maven Coordinates

<dependency>
   <groupId>io.quarkus</groupId>
   <artifactId>quarkus-keycloak-authorization</artifactId>
   <version>2.14.1.Final</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5089
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus-keycloak-authorization@.*$</packageUrl>
   <cpe>cpe:/a:keycloak:keycloak</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/3540687922

github-actions[bot] commented 1 year ago

Maven Coordinates

<dependency>
   <groupId>io.quarkus</groupId>
   <artifactId>quarkus-keycloak-authorization</artifactId>
   <version>2.14.1.Final</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5089
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus-keycloak-authorization@.*$</packageUrl>
   <cpe>cpe:/a:keycloak:keycloak</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/3540728293