[FP]: False positive with jmdns for CVE-2024-42469

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.42k stars 1.28k forks source link

[FP]: False positive with jmdns for CVE-2024-42469 #6966

Closed JoeNuttall closed 1 month ago

JoeNuttall commented 1 month ago

Package URl

pkg:maven/org.jmdns/jmdns@3.5.9

CPE

cpe:2.3:a:openhab:openhab:3.5.9:::::::*

CVE

CVE-2024-42469

ODC Integration

None

ODC Version

7.4.4

Description

Started giving false positives Friday 13th for this library on this and also CVE-2024-42470

github-actions[bot] commented 1 month ago

Maven Coordinates

<dependency>
   <groupId>org.jmdns</groupId>
   <artifactId>jmdns</artifactId>
   <version>3.5.9</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6966
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.jmdns/jmdns@.*$</packageUrl>
   <cpe>cpe:/a:openhab:openhab</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10878957583

aikebah commented 1 month ago

Resolved via #6967