[FP]: plexus-cipher for CVE-2022-4244

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.3k stars 1.26k forks source link

[FP]: plexus-cipher for CVE-2022-4244 #6905

Closed githubuserVenkat closed 5 days ago

githubuserVenkat commented 3 weeks ago

Package URl

pkg:maven/org.codehaus.plexus/plexus-cipher@2.0

CPE

cpe:2.3:a:codehaus-plexus_project:codehaus-plexus:2.0:::::::*

CVE

CVE-2022-4244

ODC Integration

None

ODC Version

10.0.3

Description

As per snyk reference the vulnerable component is plexus-utils, however in OWASP scan result subject CVE is reported on plexus-cipher & plexus-interpolation.

The vulnerable is applicable for version before 3.0.24, however latest available version from maven of plexus-cipher is 2.1.0 and plexus-interpolation is 1.27

https://security.snyk.io/vuln/SNYK-CENTOS7-PLEXUSUTILS-3183869

github-actions[bot] commented 3 weeks ago

Maven Coordinates

<dependency>
   <groupId>org.codehaus.plexus</groupId>
   <artifactId>plexus-cipher</artifactId>
   <version>2.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6905
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-cipher@.*$</packageUrl>
   <cpe>cpe:/a:codehaus-plexus_project:codehaus-plexus</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10448114479

aikebah commented 2 weeks ago

Have raised this one with the NVD as a data anomaly in the NVD data. There is a better CPE available in the CPE dictionary to link to the plexus-utils project explicitly (and the currently linked CPE is not registered in the CPE dictionary).