[FP]: CVE-2016-8735 on JSP Standard Tag Library (JSTL).

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.12k stars 1.23k forks source link

[FP]: CVE-2016-8735 on JSP Standard Tag Library (JSTL). #6765

Closed snorwin closed 2 days ago

snorwin commented 3 days ago

Package URl

pkg:maven/org.apache.taglibs/taglibs-standard-impl@1.2.5

CPE

cpe:2.3:a:apache:tomcat:::::::: versions up to (excluding) 6.0.48

CVE

CVE-2016-8735

ODC Integration

{"label"=>"Docker"}

ODC Version

9.2.0

Description

Since the cpe where updated on 6/27/2024 3:23:35 PM (see: https://nvd.nist.gov/vuln/detail/CVE-2016-8735#VulnChangeHistorySection), we have encountered false positives with Apache Tomcat versions 9.0.90 and 10.1.25.

Can you please check this quickly?

github-actions[bot] commented 3 days ago

Maven Coordinates

<dependency>
   <groupId>org.apache.taglibs</groupId>
   <artifactId>taglibs-standard-impl</artifactId>
   <version>1.2.5</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6765
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.apache\.taglibs/taglibs-standard-impl@.*$</packageUrl>
   <cpe>cpe:/a:apache:tomcat</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9757161612

aikebah commented 2 days ago

False positive is not reproducible in maven

aikebah commented 2 days ago

also with the docker image pkg:maven/org.apache.taglibs/taglibs-standard-impl@1.2.5 is properly linked to cpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:* and not showing false positive CVEs