[FP]: False positive with jmdns for CVE-2024-42469

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.42k stars 1.28k forks source link

[FP]: False positive with jmdns for CVE-2024-42469 #6967

Closed JoeNuttall closed 1 month ago

JoeNuttall commented 1 month ago

Package URl

pkg:maven/org.jmdns/jmdns@3.5.9

CPE

cpe:2.3:a:openhab:openhab:3.5.9:::::::*

CVE

CVE-2024-42470

ODC Integration

None

ODC Version

7.4.4

Description

Started giving false positives Friday 13th for this library on this and also CVE-2024-42469

github-actions[bot] commented 1 month ago

Maven Coordinates

<dependency>
   <groupId>org.jmdns</groupId>
   <artifactId>jmdns</artifactId>
   <version>3.5.9</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6967
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.jmdns/jmdns@.*$</packageUrl>
   <cpe>cpe:/a:openhab:openhab</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10878958406

aikebah commented 1 month ago

approved

You should update your DependencyCheck version. Version 7.x is outdated and unmaintained. 10.x is the only version we use to judge FPs and maintain. Nevertheless the FP you raised is still a valid FP finding for that version. Thanks for reporting it.

github-actions[bot] commented 1 month ago

Suppress rule has been added to the generatedSuppressions branch.