[FP]: keycloak-osgi-adapter for CVE-2023-6563

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.31k stars 1.26k forks source link

[FP]: keycloak-osgi-adapter for CVE-2023-6563 #6909

Closed githubuserVenkat closed 1 week ago

githubuserVenkat commented 3 weeks ago

Package URl

pkg:maven/org.keycloak/keycloak-osgi-adapter@18.0.2

CPE

cpe:2.3:a:keycloak:keycloak:18.0.2:::::::, cpe:2.3:a:redhat:keycloak:18.0.2:::::::

CVE

CVE-2023-6563

ODC Integration

None

ODC Version

10.0.3

Description

actual vulnerable component is keycloak version before 21.0.0, however OWASP is considering keycloak-osgi-adapter-18.0.2.jar as keycloak jar and version matches to vulnerable version 21.0

Note currently used keycloak version is 22.0.5

github-actions[bot] commented 3 weeks ago

Maven Coordinates

<dependency>
   <groupId>org.keycloak</groupId>
   <artifactId>keycloak-osgi-adapter</artifactId>
   <version>18.0.2</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6909
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak-osgi-adapter@.*$</packageUrl>
   <cpe>cpe:/a:keycloak:keycloak</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10472205438

aikebah commented 3 weeks ago

OSGI adapter library is an EOL-ed abandoned part of the Keycloak project and as such is properly mapped to the CPE of keycloak at NVD.

This project does not manage attribution of CVEs to specific sublibraries of a project.

The library was removed from the Keycloak codebase by the removal of the Fuse 6&7 adapters at https://github.com/keycloak/keycloak/pull/11740