[FP]: Wrongly reporting vulnerability CVE-2020-27225 on org.eclipse.osgi-3.18.0

[prabutdr]

Package URl

pkg:maven/org.eclipse.platform/org.eclipse.osgi@3.18.0

CPE

cpe:2.3:a:eclipse:platform:::::::: versions up to (including) 4.18

CVE

CVE-2020-27225

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

8.3.1

Description

Per CVE, Affected component: Eclipse Platform, at least until version 4.18 cpe:2.3:a:eclipse:platform:::::::: versions up to (including) 4.18

only 3PP "org.eclipse.osgi-3.18.0.jar" used, but NOT packing/using the vulnerable 3PP component "Eclipse Platform process or Eclipse Rich Client Platform process", even they are NOT packed as indirect dependency in the environment. This only packs "org/eclipse/platform/org.eclipse.osgi/3.18.0" as indirect dependency of Karaf, which is not vulnerable. But tool is reporting this vulnerability on org.eclipse.osgi-3.18.0.jar, which is wrong.

From Dependency Check tool team, we need confirmation on these false positives. Could you please validate and confirm?

[github-actions[bot]]

Maven Coordinates

<dependency>
   <groupId>org.eclipse.platform</groupId>
   <artifactId>org.eclipse.osgi</artifactId>
   <version>3.18.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5882
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.eclipse\.platform/org\.eclipse\.osgi@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:platform</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/5887189424

[prabutdr]

Hi team, any update on this pls?

[profhenry]

The eclipse maintainer stated that this is indeed a false positive and that the mentioned artifact (Equinox OSGi Framework) was never affected by CVE-2020-27225, see here.

So please add this as a false positive, thanks in advance.