[FP]: False positive for org.eclipse.jgit@5.13.3.202401111512-r jar

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.13k stars 1.23k forks source link

[FP]: False positive for org.eclipse.jgit@5.13.3.202401111512-r jar #6685

Open PrashanthPragadeeswaran opened 1 month ago

PrashanthPragadeeswaran commented 1 month ago

Package URl

pkg:maven/org.eclipse.jgit/org.eclipse.jgit@5.13.3.202401111512-r

CPE

cpe:2.3:a:eclipse:jgit:5.13.3:202401111512::::::

CVE

CVE-2023-4759

ODC Integration

None

ODC Version

9.2.0

Description

Updated to latest org.eclipse.jgit@5.13.3.202401111512-r jar and on running the dependency check the jar is getting flagged with old CVE reference "CVE-2023-4759".

github-actions[bot] commented 1 month ago

Maven Coordinates

<dependency>
   <groupId>org.eclipse.jgit</groupId>
   <artifactId>org.eclipse.jgit</artifactId>
   <version>5.13.3.202401111512-r</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6685
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:jgit</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9221357087

chadlwilson commented 1 week ago

This is a duplicate of #5943 - please use the search before you open new issues.