github-actions[bot]
commented
2 months ago Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10299839100
Open edward9944 opened 2 months ago
github-actions[bot]
commented
2 months ago Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10299839100
github-actions[bot]
commented
2 months ago Maven Coordinates
<dependency>
<groupId>org.eclipse.microprofile.config</groupId>
<artifactId>microprofile-config-api</artifactId>
<version>3.0.3</version>
</dependency>Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #6885
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.config/microprofile-config-api@.*$</packageUrl>
<cpe>cpe:/a:payara:payara</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10300443838
aikebah
commented
2 months ago With the library as obtained from Maven Central the FP is no longer happening, so likely your library has a hash-mismatch with the build in maven central so it can only do fuzzy text-matching in the CLI to try and establish information on what the artifact is.
edward9944
commented
2 months ago I have crosschecked the MD5 value between maven certral repository and our own repository and it looks same.
aikebah
commented
2 months ago Do you run the CLI with CentralAnalyzer disabled?
Package URl
pkg:maven/org.eclipse.microprofile.config/microprofile-config-api@3.0.3
CPE
cpe:2.3:a:payara:payara:3.0.3:::::::*
CVE
CVE-2022-45129
ODC Integration
None
ODC Version
10.0.3
Description
Actual vulnerable component is payara-api before 5.2022.3 but no where it is related to the reported 3PP org.eclipse.microprofile.config.microprofile-config-api-3.0.3.jar
Note : Package URL was missing in the OWASP scan result, since it is mandatory to provide a package URL to create a issue in GitHub so we provided it manualy.