search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.29k stars 1.26k forks source link

[FP]: Incorrect matching of Akka artifact #6865

Closed karthickm512 closed 1 week ago

karthickm512 commented 1 month ago

Package URl

pkg:maven/com.typesafe.akka/akka-actor_2.13@2.6.16

CPE

cpe:2.3:a:akka:akka:1.146.0:*:*:*:*:*:*:*

CVE

CVE-2017-1000034

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

10.0.3

Description

We use Akka 2.6.16 in our local module named Akka Verifier that has rolling version 1.146.0. However Dep Checker flagged it under the mentioned CVE mistakenly identifying it as Lightbend Akka.

github-actions[bot] commented 1 month ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10041310272

github-actions[bot] commented 1 month ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10041606726

github-actions[bot] commented 1 month ago

Maven Coordinates

<dependency>
   <groupId>com.typesafe.akka</groupId>
   <artifactId>akka-actor_2.13</artifactId>
   <version>2.6.16</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6865
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.typesafe\.akka/akka-actor_2\.13@.*$</packageUrl>
   <cpe>cpe:/a:akka:akka</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10041612846

aikebah commented 1 week ago

The vulnerability is signalled on your own library, not on akka-actor. As it is your private library you'll have to perform the suppression yourself. The FP is the expected result of how DependencyCheck works to try and match an NVD CPE to each library