[FP]: Wrongly reporting vulnerability CVE-2007-1652 on org/eclipse/jetty/jetty-openid

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.2k stars 1.25k forks source link

[FP]: Wrongly reporting vulnerability CVE-2007-1652 on org/eclipse/jetty/jetty-openid #6829

Closed prabutdr closed 2 weeks ago

prabutdr commented 2 weeks ago

Package URl

pkg:maven/org.eclipse.jetty/jetty-openid@9.4.54.v20240208

CPE

cpe:2.3:a:openid:openid::::::::

CVE

CVE-2007-1652

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

10.0.0

Description

This CVE-2007-1652 impacts only on "openid.net" packages as per https://www.cve.org/CVERecord?id=CVE-2007-1652 and cpe provided. But tool is reporting CVE-2007-1652 on "org/eclipse/jetty/jetty-openid" jars as well which is wrong.

From Dependency Check tool team, we need confirmation on these false positives. Could you please validate and confirm?

github-actions[bot] commented 2 weeks ago

Maven Coordinates

<dependency>
   <groupId>org.eclipse.jetty</groupId>
   <artifactId>jetty-openid</artifactId>
   <version>9.4.54.v20240208</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6829
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty-openid@.*$</packageUrl>
   <cpe>cpe:/a:openid:openid</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9867983806

aikebah commented 2 weeks ago

approved

github-actions[bot] commented 2 weeks ago

Suppress rule has been added to the generatedSuppressions branch.