search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
5.93k stars 1.21k forks source link

Wrong CPE for org.evolvis.tartools:background-jobs #6638

Closed mirabilos closed 2 weeks ago

mirabilos commented 2 weeks ago

Describe the bug I get a bogus report:

background-jobs-1.27.jar (pkg:maven/org.evolvis.tartools/background-jobs@1.27, cpe:2.3:a:jobs-plugin_project:jobs-plugin:1.27:::::::*) : CVE-2014-125035

The CPE is wrong. Jobs-Plugin is https://github.com/mrbobbybryant/Jobs-Plugin and a PHP project.

Version of dependency-check used org.owasp:dependency-check-maven:9.1.0:aggregate

Log file There’s nothing in the full log that stands out, this is just a CPE mismapping issue. I can provide it on request if you really want it, but…

jeremylong commented 2 weeks ago

Working as expected - this is not a bug, rather this is a false positive. See

https://jeremylong.github.io/DependencyCheck/general/internals.html https://jeremylong.github.io/DependencyCheck/general/thereport.html https://jeremylong.github.io/DependencyCheck/general/suppression.html

jeremylong commented 2 weeks ago

If you are going to report this again after I close this issue - please use the false positive template.