Open prabutdr opened 1 year ago
Maven Coordinates
<dependency>
<groupId>org.eclipse.platform</groupId>
<artifactId>org.eclipse.osgi</artifactId>
<version>3.18.0</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #5882
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.platform/org\.eclipse\.osgi@.*$</packageUrl>
<cpe>cpe:/a:eclipse:platform</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/5887189424
Hi team, any update on this pls?
Package URl
pkg:maven/org.eclipse.platform/org.eclipse.osgi@3.18.0
CPE
cpe:2.3:a:eclipse:platform:::::::: versions up to (including) 4.18
CVE
CVE-2020-27225
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
8.3.1
Description
Per CVE, Affected component: Eclipse Platform, at least until version 4.18 cpe:2.3:a:eclipse:platform:::::::: versions up to (including) 4.18
only 3PP "org.eclipse.osgi-3.18.0.jar" used, but NOT packing/using the vulnerable 3PP component "Eclipse Platform process or Eclipse Rich Client Platform process", even they are NOT packed as indirect dependency in the environment. This only packs "org/eclipse/platform/org.eclipse.osgi/3.18.0" as indirect dependency of Karaf, which is not vulnerable. But tool is reporting this vulnerability on org.eclipse.osgi-3.18.0.jar, which is wrong.
From Dependency Check tool team, we need confirmation on these false positives. Could you please validate and confirm?