Closed prabutdr closed 2 weeks ago
Maven Coordinates
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-openid</artifactId>
<version>9.4.54.v20240208</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #6829
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty-openid@.*$</packageUrl>
<cpe>cpe:/a:openid:openid</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9867983806
approved
Suppress rule has been added to the generatedSuppressions
branch.
Package URl
pkg:maven/org.eclipse.jetty/jetty-openid@9.4.54.v20240208
CPE
cpe:2.3:a:openid:openid::::::::
CVE
CVE-2007-1652
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
10.0.0
Description
This CVE-2007-1652 impacts only on "openid.net" packages as per https://www.cve.org/CVERecord?id=CVE-2007-1652 and cpe provided. But tool is reporting CVE-2007-1652 on "org/eclipse/jetty/jetty-openid" jars as well which is wrong.
From Dependency Check tool team, we need confirmation on these false positives. Could you please validate and confirm?