[FP]: False positive for commons-configuration@1.10 for CVE-2024-29131 and CVE-2024-29133 - Githubissues

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

5.96k stars 1.21k forks source link

[FP]: False positive for commons-configuration@1.10 for CVE-2024-29131 and CVE-2024-29133 #6665

Closed jubui closed 2 weeks ago

jubui commented 2 weeks ago

Package URl

pkg:maven/commons-configuration/commons-configuration@1.10

CPE

cpe:2.3:a:apache:commons_configuration:1.10:*:*:*:*:*:*:*

CVE

CVE-2024-29131 CVE-2024-29133

ODC Integration

None

ODC Version

8.1.2

Description

CVE-2024-29131 and CVE-2024-29133 both indicate that the affected versions are [2.0,2.10.1) and so this version (1.10) is not affected.

github-actions[bot] commented 2 weeks ago

Error parsing package url: maven/commons-configuration/commons-configuration@1.10.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

github-actions[bot] commented 2 weeks ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/9069037587

github-actions[bot] commented 2 weeks ago

Error parsing package url: maven/commons-configuration/commons-configuration@1.10.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

github-actions[bot] commented 2 weeks ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/9069069891

github-actions[bot] commented 2 weeks ago

Maven Coordinates

<dependency>
   <groupId>commons-configuration</groupId>
   <artifactId>commons-configuration</artifactId>
   <version>1.10</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6665
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/commons-configuration/commons-configuration@.*$</packageUrl>
   <cpe>cpe:/a:apache:commons_configuration</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9069073455

github-actions[bot] commented 2 weeks ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/9069076873

github-actions[bot] commented 2 weeks ago

Maven Coordinates

<dependency>
   <groupId>commons-configuration</groupId>
   <artifactId>commons-configuration</artifactId>
   <version>1.10</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6665
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/commons-configuration/commons-configuration@.*$</packageUrl>
   <cpe>cpe:/a:apache:commons_configuration</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9069075213

aikebah commented 2 weeks ago

duplicate of #6555 The OSSINDEX indicates that the library is vulnerable, we just report their assessment. Whether that assessment is correct or not is something to raise with them.