Closed vincenzo-scia closed 3 weeks ago
Maven Coordinates
<dependency>
<groupId>org.springframework.batch.extensions</groupId>
<artifactId>spring-batch-excel</artifactId>
<version>0.1.1</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #6613
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.batch\.extensions/spring-batch-excel@.*$</packageUrl>
<cpe>cpe:/a:pivotal_software:spring_batch</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/8754328951
approved
Suppress rule has been added to the generatedSuppressions
branch.
Package URl
pkg:maven/org.springframework.batch.extensions/spring-batch-excel@0.1.1
CPE
cpe:2.3:a:pivotal_software:spring_batch:0.1.1:::::::*
CVE
CVE-2019-3774
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
7.4.4
Description
DependencyCheck 7.4.4 is currently reporting spring-batch-excel@0.1.1 to be affected by CVE-2019-3774.
However, is seems that this issue occours due to the fact that spring-batch-excel@0.1.1 is associated to
cpe:2.3:a:pivotal_software:spring_batch:0.1.1:*:*:*:*:*:*:*
which is itself affected by CVE-2019-3774. Instead, spring-batch-excel@0.1.1 should not be affected by CVE-2019-3774.Moreover, Maven Repository does not report any vulnerability for spring-batch-excel@0.1.1 https://mvnrepository.com/artifact/org.springframework.batch.extensions/spring-batch-excel/0.1.1
Should it be marked as false positive?