[FP]: MongoDB.Bson - Githubissues

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.46k stars 1.28k forks source link

[FP]: MongoDB.Bson #6128

Open echalone opened 12 months ago

echalone commented 12 months ago

Package URl

pkg:nuget/MongoDB.Bson@2.22.0

CPE

cpe:2.3:a:mongodb:bson:2.22.0:::::::*

CVE

CVE-2015-4411

ODC Integration

None

ODC Version

8.4.3

Description

A false positive for the mongodb/bson-ruby library (https://github.com/mongodb/bson-ruby) is reported, when in reality it is the MongoDB.Bson NuGet package (https://www.nuget.org/packages/MongoDB.Bson) for which there isn't even a version 3.0.4 released yet that's "required by this CVE to fix it".

github-actions[bot] commented 12 months ago

Nuget Coordinates

dotnet add package MongoDB.Bson --version 2.22.0

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6128
   ]]></notes>
   <packageUrl regex="true">^pkg:nuget/MongoDB\.Bson@.*$</packageUrl>
   <cpe>cpe:/a:mongodb:bson</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6978033450