[FP]: CVE-2023-36415 still found in azure-identity 1.10.3

[JakubJablonski2-TomTom]

Package URl

pkg:maven/com.azure/azure-identity@1.10.3

CPE

cpe:2.3:a:microsoft:azure_identity_sdk:1.10.3:*:*:*:*:*:*:* cpe:2.3:a:microsoft:azure_sdk_for_java:1.10.3:*:*:*:*:*:*:*

CVE

CVE-2023-36415

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

8.4.0

Description

According to https://nvd.nist.gov/vuln/detail/CVE-2023-36415, this CVE affects Up to (excluding) 1.10.2, but both in 1.10.2 and 1.10.3 it is reported as present.

[github-actions[bot]]

Maven Coordinates

<dependency>
   <groupId>com.azure</groupId>
   <artifactId>azure-identity</artifactId>
   <version>1.10.3</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5992
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.azure/azure-identity@.*$</packageUrl>
   <cpe>cpe:/a:microsoft:azure_identity_sdk</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6531560682

[aikebah]

Would require an enhancement where the language field of NVD data is taken into account as this CPE has per platform(programming language) a different unbounded up-to-excluding listing https://nvd.nist.gov/vuln/detail/CVE-2023-36415 leading to the java version being checked against the python version range

[martin-traverse]

That language constraint for CPEs seems pretty important! Perhaps worth being on its own ticket? I have several exclusions in my false positives file where the CPE is for a different language.

[aikebah]

@martin-traverse only relevant for multi-language frameworks like this one, as for single language libs the language component is typically left out in the CPE coordinates