Closed karthickm512 closed 1 week ago
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10041310272
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10041606726
Maven Coordinates
<dependency>
<groupId>com.typesafe.akka</groupId>
<artifactId>akka-actor_2.13</artifactId>
<version>2.6.16</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #6865
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.typesafe\.akka/akka-actor_2\.13@.*$</packageUrl>
<cpe>cpe:/a:akka:akka</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10041612846
The vulnerability is signalled on your own library, not on akka-actor. As it is your private library you'll have to perform the suppression yourself. The FP is the expected result of how DependencyCheck works to try and match an NVD CPE to each library
Package URl
pkg:maven/com.typesafe.akka/akka-actor_2.13@2.6.16
CPE
cpe:2.3:a:akka:akka:1.146.0:*:*:*:*:*:*:*
CVE
CVE-2017-1000034
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
10.0.3
Description
We use Akka 2.6.16 in our local module named Akka Verifier that has rolling version 1.146.0. However Dep Checker flagged it under the mentioned CVE mistakenly identifying it as Lightbend Akka.