Open JoergHeinicke5005 opened 9 months ago
Npm Coordinates
npm -i mongodb@5.9.2
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #6300
]]></notes>
<packageUrl regex="true">^pkg:npm/mongodb@.*$</packageUrl>
<cpe>cpe:/a:mongodb:mongodb</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7209083854
Npm Coordinates
npm -i mongodb@5.9.2
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #6300
]]></notes>
<packageUrl regex="true">^pkg:npm/mongodb@.*$</packageUrl>
<cpe>cpe:/a:mongodb:mongodb</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7212097877
Something buggy going on with the ecosystem.
v8.4.3: All mongodb:mongodb CPE entries are linked to ecosystem native
v9.0.x: Some mongodb:mongodb CPE entries are still linked to ecosystem native, but many also at null
Promoting from FP report to bug
CPEs for 9.x:
112074,a,mongodb,mongodb,*,*,*,*,*,*,*,*,native
112075,a,mongodb,mongodb,1.2.0,*,*,*,*,*,*,*,
112076,a,mongodb,mongodb,1.4.0,*,*,*,*,*,*,*,
112077,a,mongodb,mongodb,1.6.0,*,*,*,*,*,*,*,
112078,a,mongodb,mongodb,1.8.0,*,*,*,*,*,*,*,
112079,a,mongodb,mongodb,2.0.0,*,*,*,*,*,*,*,
112080,a,mongodb,mongodb,2.0.1,*,*,*,*,*,*,*,
112081,a,mongodb,mongodb,2.0.2,*,*,*,*,*,*,*,
112082,a,mongodb,mongodb,2.0.3,*,*,*,*,*,*,*,
112083,a,mongodb,mongodb,2.0.4,*,*,*,*,*,*,*,
112084,a,mongodb,mongodb,2.0.5,*,*,*,*,*,*,*,
112085,a,mongodb,mongodb,2.0.6,*,*,*,*,*,*,*,
112086,a,mongodb,mongodb,2.0.7,*,*,*,*,*,*,*,
112087,a,mongodb,mongodb,2.0.8,*,*,*,*,*,*,*,
112088,a,mongodb,mongodb,2.2.0,*,*,*,*,*,*,*,
112089,a,mongodb,mongodb,2.2.1,*,*,*,*,*,*,*,
112090,a,mongodb,mongodb,2.2.2,*,*,*,*,*,*,*,
112091,a,mongodb,mongodb,2.2.3,*,*,*,*,*,*,*,
112092,a,mongodb,mongodb,2.2.4,*,*,*,*,*,*,*,
112093,a,mongodb,mongodb,2.2.5,*,*,*,*,*,*,*,
112094,a,mongodb,mongodb,2.2.6,*,*,*,*,*,*,*,
112095,a,mongodb,mongodb,2.2.7,*,*,*,*,*,*,*,
112096,a,mongodb,mongodb,2.3.0,*,*,*,*,*,*,*,
118001,a,mongodb,mongodb,2.4.0,*,*,*,*,*,*,*,native
118002,a,mongodb,mongodb,2.4.1,*,*,*,*,*,*,*,native
118003,a,mongodb,mongodb,2.4.2,*,*,*,*,*,*,*,native
118004,a,mongodb,mongodb,2.4.3,*,*,*,*,*,*,*,native
118005,a,mongodb,mongodb,2.4.4,*,*,*,*,*,*,*,native
118006,a,mongodb,mongodb,2.5.0,*,*,*,*,*,*,*,
119498,a,mongodb,mongodb,2.4.5,*,*,*,*,*,*,*,
122881,a,mongodb,mongodb,2.6.0,*,*,*,*,*,*,*,native
122882,a,mongodb,mongodb,2.6.1,*,*,*,*,*,*,*,native
122883,a,mongodb,mongodb,2.6.2,*,*,*,*,*,*,*,
122884,a,mongodb,mongodb,2.6.3,*,*,*,*,*,*,*,
122885,a,mongodb,mongodb,2.6.4,*,*,*,*,*,*,*,
122886,a,mongodb,mongodb,2.6.5,*,*,*,*,*,*,*,
122887,a,mongodb,mongodb,2.6.6,*,*,*,*,*,*,*,
122888,a,mongodb,mongodb,2.6.7,*,*,*,*,*,*,*,
167264,a,mongodb,mongodb,-,*,*,*,*,*,*,*,native
172025,a,mongodb,mongodb,1.7.0,*,*,*,*,*,*,*,native
192188,a,mongodb,mongodb,*,*,*,*,enterprise,*,*,*,native
210050,a,mongodb,mongodb,4.4.0,rc1,*,*,*,*,*,*,native
210051,a,mongodb,mongodb,4.4.0,rc10,*,*,*,*,*,*,native
210052,a,mongodb,mongodb,4.4.0,rc11,*,*,*,*,*,*,native
210053,a,mongodb,mongodb,4.4.0,rc2,*,*,*,*,*,*,native
210054,a,mongodb,mongodb,4.4.0,rc3,*,*,*,*,*,*,native
210055,a,mongodb,mongodb,4.4.0,rc4,*,*,*,*,*,*,native
210056,a,mongodb,mongodb,4.4.0,rc5,*,*,*,*,*,*,native
210057,a,mongodb,mongodb,4.4.0,rc6,*,*,*,*,*,*,native
210058,a,mongodb,mongodb,4.4.0,rc7,*,*,*,*,*,*,native
210059,a,mongodb,mongodb,4.4.0,rc8,*,*,*,*,*,*,native
210060,a,mongodb,mongodb,4.4.0,rc9,*,*,*,*,*,*,native
224613,a,mongodb,mongodb,*,*,*,*,*,visual_studio_code,*,*,native
CPEs for 8.4.3:
106668,a,mongodb,mongodb,2.6.7,*,*,*,*,*,*,*,native
106669,a,mongodb,mongodb,2.6.2,*,*,*,*,*,*,*,native
106670,a,mongodb,mongodb,2.6.1,*,*,*,*,*,*,*,native
106671,a,mongodb,mongodb,2.6.4,*,*,*,*,*,*,*,native
106672,a,mongodb,mongodb,2.6.5,*,*,*,*,*,*,*,native
106673,a,mongodb,mongodb,2.6.6,*,*,*,*,*,*,*,native
106674,a,mongodb,mongodb,2.6.3,*,*,*,*,*,*,*,native
106675,a,mongodb,mongodb,2.6.0,*,*,*,*,*,*,*,native
106676,a,mongodb,mongodb,*,*,*,*,*,*,*,*,native
116706,a,mongodb,mongodb,1.8.0,*,*,*,*,*,*,*,native
116710,a,mongodb,mongodb,2.0.0,*,*,*,*,*,*,*,native
116712,a,mongodb,mongodb,2.0.6,*,*,*,*,*,*,*,native
116714,a,mongodb,mongodb,2.2.2,*,*,*,*,*,*,*,native
116718,a,mongodb,mongodb,1.2.0,*,*,*,*,*,*,*,native
116719,a,mongodb,mongodb,2.2.1,*,*,*,*,*,*,*,native
116722,a,mongodb,mongodb,2.2.0,*,*,*,*,*,*,*,native
116723,a,mongodb,mongodb,1.4.0,*,*,*,*,*,*,*,native
116726,a,mongodb,mongodb,2.0.1,*,*,*,*,*,*,*,native
116728,a,mongodb,mongodb,2.0.3,*,*,*,*,*,*,*,native
116733,a,mongodb,mongodb,2.0.4,*,*,*,*,*,*,*,native
116734,a,mongodb,mongodb,2.2.3,*,*,*,*,*,*,*,native
116735,a,mongodb,mongodb,2.0.5,*,*,*,*,*,*,*,native
116736,a,mongodb,mongodb,1.6.0,*,*,*,*,*,*,*,native
116738,a,mongodb,mongodb,2.0.2,*,*,*,*,*,*,*,native
116739,a,mongodb,mongodb,2.0.7,*,*,*,*,*,*,*,native
120693,a,mongodb,mongodb,2.4.2,*,*,*,*,*,*,*,native
120696,a,mongodb,mongodb,2.4.5,*,*,*,*,*,*,*,native
120697,a,mongodb,mongodb,2.4.0,*,*,*,*,*,*,*,native
120700,a,mongodb,mongodb,2.4.3,*,*,*,*,*,*,*,native
120703,a,mongodb,mongodb,2.5.0,*,*,*,*,*,*,*,native
120704,a,mongodb,mongodb,2.4.4,*,*,*,*,*,*,*,native
120705,a,mongodb,mongodb,2.4.1,*,*,*,*,*,*,*,native
141564,a,mongodb,mongodb,1.7.0,*,*,*,*,*,*,*,native
150252,a,mongodb,mongodb,*,*,*,*,enterprise,*,*,*,native
160046,a,mongodb,mongodb,-,*,*,*,*,*,*,*,native
199106,a,mongodb,mongodb,2.2.5,*,*,*,*,*,*,*,native
199124,a,mongodb,mongodb,2.2.7,*,*,*,*,*,*,*,native
199125,a,mongodb,mongodb,2.3.0,*,*,*,*,*,*,*,native
199131,a,mongodb,mongodb,2.2.4,*,*,*,*,*,*,*,native
199132,a,mongodb,mongodb,2.2.6,*,*,*,*,*,*,*,native
199133,a,mongodb,mongodb,2.0.8,*,*,*,*,*,*,*,native
215550,a,mongodb,mongodb,*,*,*,*,*,visual_studio_code,*,*,native
224263,a,mongodb,mongodb,4.4.0,rc9,*,*,*,*,*,*,native
224264,a,mongodb,mongodb,4.4.0,rc8,*,*,*,*,*,*,native
224265,a,mongodb,mongodb,4.4.0,rc7,*,*,*,*,*,*,native
224266,a,mongodb,mongodb,4.4.0,rc6,*,*,*,*,*,*,native
224267,a,mongodb,mongodb,4.4.0,rc5,*,*,*,*,*,*,native
224268,a,mongodb,mongodb,4.4.0,rc4,*,*,*,*,*,*,native
224269,a,mongodb,mongodb,4.4.0,rc3,*,*,*,*,*,*,native
224270,a,mongodb,mongodb,4.4.0,rc2,*,*,*,*,*,*,native
224271,a,mongodb,mongodb,4.4.0,rc1,*,*,*,*,*,*,native
224272,a,mongodb,mongodb,4.4.0,rc10,*,*,*,*,*,*,native
224273,a,mongodb,mongodb,4.4.0,rc11,*,*,*,*,*,*,native
Package URl
pkg:npm/mongodb@5.9.2
CPE
cpe:2.3:a:mongodb:mongodb:5.9.2:*:*:*:*:*:*:*
CVE
CVE-2014-8180
ODC Integration
{"label"=>"Gradle Plugin"}
ODC Version
9.0.5
Description
Dependency Check pulls out the extremely old CVE-2014-8180 (which seems to be applicable to running mongod on some RedHat) and matches it to the mongodb driver for Node.js. Not sure, what exactly has changed, but the NVD website doesn't report any recent change on the entry (last change in 2017). The CVE has not been reported before, i.e., in particular with NVD data feed. Also, it's not always being reported but only occasionally, so behavior seems somewhat non-deterministic.
Is it something which can be suppressed globally or do we have to do it locally?