[FP]: False Positive Nuget Azure.Identity

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.37k stars 1.27k forks source link

[FP]: False Positive Nuget Azure.Identity #6084

Open creasoft-dag opened 11 months ago

creasoft-dag commented 11 months ago

Package URl

pkg:generic/Azure.Identity@1.1000.323.51804

CPE

cpe:2.3:a:microsoft:azure_identity_sdk:1.1000.323.51804:::::::* (Confidence:Low)

CVE

CVE-2023-36415

ODC Integration

{"label"=>"CLI"}

ODC Version

8.3.1

Description

Hi,

we get a false positive for the Azure.Identity nuget package. File version of the dll is set to: 1.1000.323.51804 Product version to: 1.10.3+a4954......

The vulnerability should be fixed from 1.10.2 and up.

Best regards, Daniel

github-actions[bot] commented 11 months ago

Error parsing package url: https://www.nuget.org/packages/Azure.Identity/1.10.3.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

github-actions[bot] commented 11 months ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/6931500863

a20nitin commented 9 months ago

We are also facing same false positive vulnerability. When can we expect a solution?