search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.42k stars 1.28k forks source link

[FP]: Incorrect match for Apache Sling #5864

Closed karthickm512 closed 1 year ago

karthickm512 commented 1 year ago

Package URl

pkg:maven/org.apache.sling/org.apache.sling.commons.johnzon@1.2.14

CPE

cpe:2.3:a:apache:sling:1.2.14:*:*:*:*:*:*:*

CVE

CVE-2022-45064

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

8.3.1

Description

While scanning our software that packs Apache Karaf 4.4.3 (contains [org.apache.sling.commons.johnzon] 1.2.14), https://nvd.nist.gov/vuln/detail/CVE-2022-45064 is reported when scanning our software with Dependency checker.

The impacted component as per CVE is Apache Sling Engine that has the fixed version 2.14.x but the scan in a faulty way identifies Apache Commons Johnzon that has latest version of 1.2.14. Refer to https://sling.apache.org/downloads.cgi

github-actions[bot] commented 1 year ago

Maven Coordinates

<dependency>
   <groupId>org.apache.sling</groupId>
   <artifactId>org.apache.sling.commons.johnzon</artifactId>
   <version>1.2.14</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5864
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.apache\.sling/org\.apache\.sling\.commons\.johnzon@.*$</packageUrl>
   <cpe>cpe:/a:apache:johnzon</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/5784442462

aikebah commented 1 year ago

@karthickm512 In the FP report CPE you should report the CPE that was incorrectly identified, not the CPE of the component itself. I'll fixed this one to get the proper suppression.

github-actions[bot] commented 1 year ago

Maven Coordinates

<dependency>
   <groupId>org.apache.sling</groupId>
   <artifactId>org.apache.sling.commons.johnzon</artifactId>
   <version>1.2.14</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5864
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.apache\.sling/org\.apache\.sling\.commons\.johnzon@.*$</packageUrl>
   <cpe>cpe:/a:apache:sling</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/5784778390

aikebah commented 1 year ago

approved

github-actions[bot] commented 1 year ago

Suppress rule has been added to the generatedSuppressions branch.