[FP]: (regression of #6695) CVE-2022-21704 still gets flagged on a Node.js dependency,

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.43k stars 1.28k forks source link

[FP]: (regression of #6695) CVE-2022-21704 still gets flagged on a Node.js dependency, #6869

Closed volkert-fastned closed 2 months ago

volkert-fastned commented 3 months ago

Package URl

pkg:maven/org.apache.logging.log4j/log4j-slf4j2-impl@2.23.1

CPE

cpe:2.3:a:log4js_project:log4js:2.23.1:*:*:*:*:*:*:*

CVE

CVE-2022-21704

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

10.0.3

Description

As I stated in this comment, the previous regression didn't work.

In this other comment, I shared required change to make it work.

TL;DR: the CPE section in the suppression has to be changed as follows:

<cpe>cpe:/a:log4js_project:log4js</cpe>

github-actions[bot] commented 3 months ago

Maven Coordinates

<dependency>
   <groupId>org.apache.logging.log4j</groupId>
   <artifactId>log4j-slf4j2-impl</artifactId>
   <version>2.23.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6869
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.apache\.logging\.log4j/log4j-slf4j2-impl@.*$</packageUrl>
   <cpe>cpe:/a:log4js_project:log4js</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10059660424

volkert-fastned commented 3 months ago

This yet another example of a FP as result of a platform/language mismatch. @OrangeDog FYI

aikebah commented 2 months ago

The original suppression from #6695 has been corrected and FP suppression automation has published the updated hosted suppressions file