Closed snorwin closed 2 days ago
Maven Coordinates
<dependency>
<groupId>org.apache.taglibs</groupId>
<artifactId>taglibs-standard-impl</artifactId>
<version>1.2.5</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #6765
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.taglibs/taglibs-standard-impl@.*$</packageUrl>
<cpe>cpe:/a:apache:tomcat</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9757161612
False positive is not reproducible in maven
also with the docker image pkg:maven/org.apache.taglibs/taglibs-standard-impl@1.2.5
is properly linked to cpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:*
and not showing false positive CVEs
Package URl
pkg:maven/org.apache.taglibs/taglibs-standard-impl@1.2.5
CPE
cpe:2.3:a:apache:tomcat:::::::: versions up to (excluding) 6.0.48
CVE
CVE-2016-8735
ODC Integration
{"label"=>"Docker"}
ODC Version
9.2.0
Description
Since the cpe where updated on 6/27/2024 3:23:35 PM (see: https://nvd.nist.gov/vuln/detail/CVE-2016-8735#VulnChangeHistorySection), we have encountered false positives with Apache Tomcat versions 9.0.90 and 10.1.25.
Can you please check this quickly?