[FP]: groupId and artifactId are ignored

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.29k stars 1.26k forks source link

[FP]: groupId and artifactId are ignored #6839

Closed slawekjaranowski closed 1 week ago

slawekjaranowski commented 1 month ago

Package URl

pkg:maven/commons-discovery/commons-discovery@0.2

CPE

cpe:2.3:a:spirit-project:spirit:0.2:::::::*

CVE

No response

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

10.0.2

Description

Looks like only version is used, but groupId and artifactId are ignored. It can be more general problem

github-actions[bot] commented 1 month ago

Maven Coordinates

<dependency>
   <groupId>commons-discovery</groupId>
   <artifactId>commons-discovery</artifactId>
   <version>0.2</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6839
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/commons-discovery/commons-discovery@.*$</packageUrl>
   <cpe>cpe:/a:spirit-project:spirit</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9941750630

aikebah commented 1 week ago

approved

@slawekjaranowski It's not about ignoring groupId/artifactId, It's about no CVE being registered against commons-discovery yet and therefor an improper CPE match is found to be 'best matching CPE' for the combination of evidences gathered from the dependency and the CPEs found in the NVD CVE data. If there had been a CVE registered against commons-discovery that would've resulted in a much better match.

github-actions[bot] commented 1 week ago

Suppress rule has been added to the generatedSuppressions branch.