Closed githubuserVenkat closed 5 days ago
Maven Coordinates
<dependency>
<groupId>org.codehaus.plexus</groupId>
<artifactId>plexus-cipher</artifactId>
<version>2.0</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #6905
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-cipher@.*$</packageUrl>
<cpe>cpe:/a:codehaus-plexus_project:codehaus-plexus</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10448114479
Have raised this one with the NVD as a data anomaly in the NVD data. There is a better CPE available in the CPE dictionary to link to the plexus-utils project explicitly (and the currently linked CPE is not registered in the CPE dictionary).
Package URl
pkg:maven/org.codehaus.plexus/plexus-cipher@2.0
CPE
cpe:2.3:a:codehaus-plexus_project:codehaus-plexus:2.0:::::::*
CVE
CVE-2022-4244
ODC Integration
None
ODC Version
10.0.3
Description
As per snyk reference the vulnerable component is plexus-utils, however in OWASP scan result subject CVE is reported on plexus-cipher & plexus-interpolation.
The vulnerable is applicable for version before 3.0.24, however latest available version from maven of plexus-cipher is 2.1.0 and plexus-interpolation is 1.27
https://security.snyk.io/vuln/SNYK-CENTOS7-PLEXUSUTILS-3183869