[FP]: New WildFly application server version reports 180 vulnerabilities day one - Githubissues

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.23k stars 1.25k forks source link

[FP]: New WildFly application server version reports 180 vulnerabilities day one #6496

Open SuperPat45 opened 5 months ago

SuperPat45 commented 5 months ago

Package URl

pkg:maven/org.wildfly.bom/wildfly@31.0.1.Final

CPE

cpe:2.3:a:redhat:wildfly:31.0.1:::::::*

CVE

CVE-2022-0866

ODC Integration

{"label"=>"CLI"}

ODC Version

9.0.9

Description

Running the dependency check on the new version of the WildFly application server, the report shows a staggering total of 180 vulnerabilities found. https://github.com/wildfly/wildfly/releases/download/31.0.1.Final/wildfly-31.0.1.Final.zip

Most of the archives mentioned in the report are in their latest versions, so logically it shouldn't be vulnerable.

What's more, the same CVE-2022-0866 vulnerability appears in 114 different archives. It is therefore impossible to know which archive is actually affected by the vulnerability.

dependency-check-report.zip

github-actions[bot] commented 5 months ago

Error parsing package url: https://github.com/wildfly/wildfly/releases/download/31.0.1.Final/wildfly-31.0.1.Final.zip.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

github-actions[bot] commented 5 months ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8096720529

github-actions[bot] commented 5 months ago

Error parsing package url: https://github.com/wildfly/wildfly/releases/download/31.0.1.Final/wildfly-31.0.1.Final.zip.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

github-actions[bot] commented 5 months ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8096725121

SuperPat45 commented 5 months ago

pkg:maven/org.wildfly.bom/wildfly@31.0.1.Final

github-actions[bot] commented 5 months ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8096792761

OrangeDog commented 4 months ago

Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled.

The example you have given is not a false positive.

RedHat products get a lot of CVE reports, and quite often they fix them for their customers with configuration changes, instead of patching the open source components. I'm afraid you have to manually evaluate those 180 vulnerabilities to see if they affect you, and fix, suppress, or ignore them yourself.

github-actions[bot] commented 4 months ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8295831689