[FP]: CVE-2020-26939 for bcpg-fips

[mousumis]

Package URl

pkg:maven/org.bouncycastle/bcpg-fips@1.0.7.1

CPE

cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.0.7.1:*:*:*:*:*:*:*

CVE

CVE-2020-26939

ODC Integration

None

ODC Version

10.0.2

Description

CVE-2020-26939 is being flagged for bcpg-fips version 1.0.7.1 though documentation states that it is remediated in bc-fips v1.0.1.2. 1.0.7.1 is the latest bcpg-fips version which should correspond to a bc-fips version higher than 1.0.1.2 which has the fix.

[github-actions[bot]]

Maven Coordinates

<dependency>
   <groupId>org.bouncycastle</groupId>
   <artifactId>bcpg-fips</artifactId>
   <version>1.0.7.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6854
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcpg-fips@.*$</packageUrl>
   <cpe>cpe:/a:bouncycastle:legion-of-the-bouncy-castle-fips-java-api</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9981943724

[github-actions[bot]]

Maven Coordinates

<dependency>
   <groupId>org.bouncycastle</groupId>
   <artifactId>bcpg-fips</artifactId>
   <version>1.0.7.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6854
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcpg-fips@.*$</packageUrl>
   <cpe>cpe:/a:bouncycastle:bouncy_castle_for_java</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10575736662

[aikebah]

approved

[github-actions[bot]]

Suppress rule has been added to the generatedSuppressions branch.