search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.26k stars 1.25k forks source link

[FP]: Azure SDK for Java #6100

Open rmn7 opened 9 months ago

rmn7 commented 9 months ago

Package URl

pkg:maven/com.azure/azure-core@1.44.1

CPE

cpe:2.3:a:microsoft:azure_sdk_for_java:1.44.1:*:*:*:*:*:*:*

CVE

CVE-2023-36052

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

8.2.1

Description

This only affects the azure cli but is matching for the azure java sdk. Check: https://nvd.nist.gov/vuln/detail/CVE-2023-36052

It also incorrectly matches on other com.azure packages:

azure-core-1.44.1.jar (pkg:maven/com.azure/azure-core@1.44.1, cpe:2.3:a:microsoft:azure_cli:1.44.1:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_sdk_for_java:1.44.1:*:*:*:*:*:*:*) : CVE-2023-36052
azure-core-http-netty-1.13.9.jar (pkg:maven/com.azure/azure-core-http-netty@1.13.9, cpe:2.3:a:microsoft:azure_cli:1.13.9:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_sdk_for_java:1.13.9:*:*:*:*:*:*:*) : CVE-2023-36052
azure-core-management-1.11.5.jar (pkg:maven/com.azure/azure-core-management@1.11.5, cpe:2.3:a:microsoft:azure_cli:1.11.5:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_sdk_for_java:1.11.5:*:*:*:*:*:*:*) : CVE-2023-36052
azure-identity-1.10.4.jar (pkg:maven/com.azure/azure-identity@1.10.4, cpe:2.3:a:microsoft:azure_cli:1.10.4:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_identity_sdk:1.10.4:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_sdk_for_java:1.10.4:*:*:*:*:*:*:*) : CVE-2023-36052
azure-json-1.1.0.jar (pkg:maven/com.azure/azure-json@1.1.0, cpe:2.3:a:microsoft:azure_cli:1.1.0:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_sdk_for_java:1.1.0:*:*:*:*:*:*:*) : CVE-2023-36052
azure-resourcemanager-2.31.0.jar (pkg:maven/com.azure.resourcemanager/azure-resourcemanager@2.31.0, cpe:2.3:a:microsoft:azure_cli:2.31.0:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_sdk_for_java:2.31.0:*:*:*:*:*:*:*) : CVE-2023-36052
azure-resourcemanager-msi-2.31.0.jar (pkg:maven/com.azure.resourcemanager/azure-resourcemanager-msi@2.31.0, cpe:2.3:a:microsoft:azure_cli:2.31.0:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_identity_sdk:2.31.0:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_sdk_for_java:2.31.0:*:*:*:*:*:*:*) : CVE-2023-36052
github-actions[bot] commented 9 months ago

Maven Coordinates

<dependency>
   <groupId>com.azure</groupId>
   <artifactId>azure-core</artifactId>
   <version>1.44.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6100
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.azure/azure-core@.*$</packageUrl>
   <cpe>cpe:/a:microsoft:azure_sdk_for_java</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6955184981

Dhanxy commented 9 months ago

This is a false positive?. I have uploaded to the latest version and I still have the same vulnerability

marcelstoer commented 8 months ago

@aikebah how could a proper suppression look like? Would we need a (more) wildcard package URL or several individual suppressions?

Excerpt from the HTML report below.

Screenshot 2023-11-30 at 07 49 40
marcelstoer commented 8 months ago

@aikebah @jeremylong do you think this is something we can expect a suppression for any time soon?