search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.34k stars 1.26k forks source link

False Positive Report for CVE-2012-5785 in Axis2 Version 1.8.2 #6745

Closed Jeld4 closed 3 months ago

Jeld4 commented 3 months ago

Hello,

I have encountered a security scanner report that flags CVE-2012-5785 in my project.

However, my project is currently using Apache Axis2/Java version 1.8.2. Given that version 1.8.2 is much newer than 1.6.2, I believe this CVE should not apply to my project and suspect it might be a false positive.

Additionally, I noticed that sandesha-core2 has a dependency on axis2-codegen version 1.6.2. It is possible that the dependency check is confused because of this?

Here is the tree of dependencies from my project

+--- org.apache.sandesha2:sandesha2-core:1.6.2 | +--- org.apache.axis2:axis2-codegen:1.6.2 -> 1.8.2 () | +--- org.apache.ws.commons.axiom:axiom-api:1.2.13 -> 1.4.0 () | +--- org.apache.ws.commons.axiom:axiom-impl:1.2.13 -> 1.4.0 () | +--- org.apache.ws.commons.axiom:axiom-dom:1.2.13 -> 1.4.0 () | +--- commons-logging:commons-logging:1.1.1 -> 1.2 | +--- org.apache.axis2:axis2-kernel:1.6.2 -> 1.8.2 () | +--- org.apache.axis2:addressing:1.6.2 | | --- org.apache.axis2:axis2-kernel:1.6.2 -> 1.8.2 () | --- org.apache.axis2:axis2-mtompolicy:1.6.2 | +--- org.apache.axis2:axis2-kernel:1.6.2 -> 1.8.2 (*) | --- org.apache.neethi:neethi:3.0.2 -> 3.2.0

I would like to be sure, that we can mark the CVE as false-positive, if we have newer versions.

Thank you for your assistance.

chadlwilson commented 3 months ago

There is a dedicated issue type for false positive reports that ensures you report the necessary information from the ODC report to make these possible to assess. The output specifically notes the exact dependency it is reporting against so there should be no confusion here.

The team need to know the specific Maven coordinates reported and the CPE at least, I.e the information from the report ODC gives you.

chadlwilson commented 3 months ago

https://github.com/jeremylong/DependencyCheck/issues/new?assignees=&labels=FP+Report&projects=&template=false-positive-report.yml&title=%5BFP%5D%3A+

chadlwilson commented 3 months ago

Hi there, can you please close this duplicate, since you raised at https://github.com/jeremylong/DependencyCheck/issues/6757 using the template? :-)

(I'm not actually a maintainer, so I cant clean up issues myself, but it would help the team)