github-actions[bot]
commented
3 months ago Maven Coordinates
<dependency>
<groupId>io.ktor</groupId>
<artifactId>ktor-server-call-logging-jvm</artifactId>
<version>2.3.11</version>
</dependency>Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #6694
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.ktor/ktor-server-call-logging-jvm@.*$</packageUrl>
<cpe>cpe:/a:call_project:call</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9268548184
volkert-fastned
jeremylong
Package URl
pkg:maven/io.ktor/ktor-server-call-logging-jvm@2.3.11
CPE
cpe:2.3:a:call_project:call:2.3.11:::::::*
CVE
CVE-2016-10543
ODC Integration
{"label"=>"Gradle Plugin"}
ODC Version
9.2.0
Description
Vulnerability CVE-2016-10543, which applies to the call module of
hapi.js(a Node.js library) gets flagged on Ktor dependencies that havecallin the name:Strangely enough, this suddenly got flagged (along with a bunch of other vulnerabilities) while I tried to upgrade a project from Kotlin 1.9.x to Kotlin 2.0. But the dependencies that suddenly got flagged with that upgrade weren't related to the Kotlin 2.0 upgrade.
Also worth noting: according to NIST, the CPE should in fact be
cpe:2.3:a:call_project:call:*:*:*:*:*:node.js:*:*, but the CPE that the DendencyCheck Gradle plugin flags has a wildcard in place of thenode.jspart. Perhaps that's what's causing this false positive?