search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
5.93k stars 1.21k forks source link

[FP]: CVE-2019-3774 on spring-batch-excel@0.1.1 #6613

Closed vincenzo-scia closed 3 weeks ago

vincenzo-scia commented 1 month ago

Package URl

pkg:maven/org.springframework.batch.extensions/spring-batch-excel@0.1.1

CPE

cpe:2.3:a:pivotal_software:spring_batch:0.1.1:::::::*

CVE

CVE-2019-3774

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

7.4.4

Description

DependencyCheck 7.4.4 is currently reporting spring-batch-excel@0.1.1 to be affected by CVE-2019-3774.

However, is seems that this issue occours due to the fact that spring-batch-excel@0.1.1 is associated to cpe:2.3:a:pivotal_software:spring_batch:0.1.1:*:*:*:*:*:*:* which is itself affected by CVE-2019-3774. Instead, spring-batch-excel@0.1.1 should not be affected by CVE-2019-3774.

Moreover, Maven Repository does not report any vulnerability for spring-batch-excel@0.1.1 https://mvnrepository.com/artifact/org.springframework.batch.extensions/spring-batch-excel/0.1.1

Should it be marked as false positive?

github-actions[bot] commented 1 month ago

Maven Coordinates

<dependency>
   <groupId>org.springframework.batch.extensions</groupId>
   <artifactId>spring-batch-excel</artifactId>
   <version>0.1.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6613
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.springframework\.batch\.extensions/spring-batch-excel@.*$</packageUrl>
   <cpe>cpe:/a:pivotal_software:spring_batch</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/8754328951

jeremylong commented 3 weeks ago

approved

github-actions[bot] commented 3 weeks ago

Suppress rule has been added to the generatedSuppressions branch.