Open SuperPat45 opened 5 months ago
Error parsing package url: https://github.com/wildfly/wildfly/releases/download/31.0.1.Final/wildfly-31.0.1.Final.zip.
Error: Error: purl is missing the required "pkg" scheme component.
Please correct the package URL - consider copying the package url from the HTML report.
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8096720529
Error parsing package url: https://github.com/wildfly/wildfly/releases/download/31.0.1.Final/wildfly-31.0.1.Final.zip.
Error: Error: purl is missing the required "pkg" scheme component.
Please correct the package URL - consider copying the package url from the HTML report.
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8096725121
pkg:maven/org.wildfly.bom/wildfly@31.0.1.Final
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8096792761
Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled.
The example you have given is not a false positive.
RedHat products get a lot of CVE reports, and quite often they fix them for their customers with configuration changes, instead of patching the open source components. I'm afraid you have to manually evaluate those 180 vulnerabilities to see if they affect you, and fix, suppress, or ignore them yourself.
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8295831689
Package URl
pkg:maven/org.wildfly.bom/wildfly@31.0.1.Final
CPE
cpe:2.3:a:redhat:wildfly:31.0.1:::::::*
CVE
CVE-2022-0866
ODC Integration
{"label"=>"CLI"}
ODC Version
9.0.9
Description
Running the dependency check on the new version of the WildFly application server, the report shows a staggering total of 180 vulnerabilities found. https://github.com/wildfly/wildfly/releases/download/31.0.1.Final/wildfly-31.0.1.Final.zip
Most of the archives mentioned in the report are in their latest versions, so logically it shouldn't be vulnerable.
What's more, the same CVE-2022-0866 vulnerability appears in 114 different archives. It is therefore impossible to know which archive is actually affected by the vulnerability.
dependency-check-report.zip