[FP]: togglz-mongodb-4.4.0.jar is mixed up with mongodb-4.4.0.jar - Githubissues

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

5.93k stars 1.21k forks source link

[FP]: togglz-mongodb-4.4.0.jar is mixed up with mongodb-4.4.0.jar #6640

Closed j-ferreira closed 1 week ago

j-ferreira commented 2 weeks ago

Package URl

pkg:maven/org.togglz/togglz-mongodb@4.4.0

CPE

cpe:2.3:a:mongodb:mongodb:4.4.0:::::::*

CVE

CVE-2020-7925 CVE-2021-32040 CVE-2023-1409 CVE-2021-32036 CVE-2019-2392 CVE-2020-7926 CVE-2020-7928 CVE-2021-20326 CVE-2021-20330 CVE-2014-8180

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

9.1.0

Description

We are using tooglz in Version 4.4. with MongoDB. It seems that the dependency togglz-mongodb-4.4.0.jar is mixed up with mongodb-4.4.0.jar

github-actions[bot] commented 2 weeks ago

Error parsing package url: ^pkg:maven/org.togglz/togglz-mongodb@.*$.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

github-actions[bot] commented 2 weeks ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8936942055

github-actions[bot] commented 2 weeks ago

Error parsing package url: ^pkg:maven/org.togglz/togglz-mongodb@.*$.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

github-actions[bot] commented 2 weeks ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8936950841

github-actions[bot] commented 2 weeks ago

Error parsing package url: ^pkg:maven/org.togglz/togglz-mongodb@.*$.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

github-actions[bot] commented 2 weeks ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8936961988

github-actions[bot] commented 2 weeks ago

Error parsing package url: pkg:maven/org.togglz/togglz-mongodb@.*$.

Error: Error: Invalid purl: version must be percent-encoded

Please correct the package URL - consider copying the package url from the HTML report.

github-actions[bot] commented 2 weeks ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8937048199

github-actions[bot] commented 2 weeks ago

Error parsing package url: pkg:maven/org.togglz/togglz-mongodb@.*$.

Error: Error: Invalid purl: version must be percent-encoded

Please correct the package URL - consider copying the package url from the HTML report.

github-actions[bot] commented 2 weeks ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8937158860

github-actions[bot] commented 1 week ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/9000315585

github-actions[bot] commented 1 week ago

Maven Coordinates

<dependency>
   <groupId>org.togglz</groupId>
   <artifactId>togglz-mongodb</artifactId>
   <version>4.4.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6640
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.togglz/togglz-mongodb@.*$</packageUrl>
   <cpe>cpe:/a:mongodb:mongodb</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9001817673

aikebah commented 1 week ago

approved

github-actions[bot] commented 1 week ago

Suppress rule has been added to the generatedSuppressions branch.