[FP]: prometheus-metrics-* packages are identified as prometheus server (CVE-2019-3826)

[aggeboe]

Package URl

pkg:maven/io.prometheus/prometheus-metrics-config@1.2.1

CPE

cpe:2.3:a:prometheus:prometheus:1.2.1:::::::*

CVE

CVE-2019-3826

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

8.4.3

Description

prometheus-metrics-config-1.2.1.jar (pkg:maven/io.prometheus/prometheus-metrics-config@1.2.1, cpe:2.3:a:prometheus:prometheus:1.2.1:::::::) : CVE-2019-3826 prometheus-metrics-core-1.2.1.jar (pkg:maven/io.prometheus/prometheus-metrics-core@1.2.1, cpe:2.3:a:prometheus:prometheus:1.2.1:::::::) : CVE-2019-3826 prometheus-metrics-exposition-formats-1.2.1.jar (pkg:maven/io.prometheus/prometheus-metrics-exposition-formats@1.2.1, cpe:2.3:a:prometheus:prometheus:1.2.1:::::::) : CVE-2019-3826 prometheus-metrics-model-1.2.1.jar (pkg:maven/io.prometheus/prometheus-metrics-model@1.2.1, cpe:2.3:a:prometheus:prometheus:1.2.1:::::::) : CVE-2019-3826 prometheus-metrics-shaded-protobuf-1.2.1.jar (pkg:maven/io.prometheus/prometheus-metrics-shaded-protobuf@1.2.1, cpe:2.3:a:prometheus:prometheus:1.2.1:::::::, cpe:2.3:a:protobuf:protobuf:1.2.1:::::::) : CVE-2019-3826 prometheus-metrics-tracer-common-1.2.1.jar (pkg:maven/io.prometheus/prometheus-metrics-tracer-common@1.2.1, cpe:2.3:a:prometheus:prometheus:1.2.1:::::::*) : CVE-2019-3826

[github-actions[bot]]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/9222420898

[github-actions[bot]]

Error parsing package url: pkg:maven/io.prometheus/prometheus-metrics-config@1.2.1,.

Error: Error: Invalid purl: version must be percent-encoded

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions[bot]]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/9222454485

[github-actions[bot]]

Maven Coordinates

<dependency>
   <groupId>io.prometheus</groupId>
   <artifactId>prometheus-metrics-config</artifactId>
   <version>1.2.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6686
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.prometheus/prometheus-metrics-config@.*$</packageUrl>
   <cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9222469707

[github-actions[bot]]

Error parsing package url: pkg:maven/io.prometheus/prometheus-metrics-config@1.2.1 pkg:maven/io.prometheus/prometheus-metrics-core@1.2.1.

Error: Error: Invalid purl: version must be percent-encoded

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions[bot]]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/9222513263

[github-actions[bot]]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/9222543399

[github-actions[bot]]

Maven Coordinates

<dependency>
   <groupId>io.prometheus</groupId>
   <artifactId>prometheus-metrics-config</artifactId>
   <version>1.2.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6686
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.prometheus/prometheus-metrics-config@.*$</packageUrl>
   <cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9222601109

[aggeboe]

The suppression rule should be updated to something like

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6686
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.prometheus/prometheus-metrics-.*@.*$</packageUrl>
   <cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>