[FP]: CVE-2023-33202 for bc-fips and bcpg-fips

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.26k stars 1.25k forks source link

[FP]: CVE-2023-33202 for bc-fips and bcpg-fips #6844

Open mousumis opened 1 month ago

mousumis commented 1 month ago

Package URl

pkg:maven/org.bouncycastle/bc-fips@1.0.2.4

CPE

cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.0.2.4:*:*:*:*:*:*:*

CVE

CVE-2023-33202

ODC Integration

None

ODC Version

10.0.2

Description

CVE-2023-33202 is being flagged for bc-fips version 1.0.2.4, and bcpg-fips version 1.0.7.1. However documentation states that the CVE is remediated in BC-FJA 1.0.2.4

github-actions[bot] commented 1 month ago

Maven Coordinates

<dependency>
   <groupId>org.bouncycastle</groupId>
   <artifactId>bc-fips</artifactId>
   <version>1.0.2.4</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6844
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.bouncycastle/bc-fips@.*$</packageUrl>
   <cpe>cpe:/a:bouncycastle:bouncy_castle_for_java</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9947088690