[FP]: dnsjava CVE-2024-25638

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.43k stars 1.28k forks source link

[FP]: dnsjava CVE-2024-25638 #6984

Closed ChenyuWang98 closed 1 month ago

ChenyuWang98 commented 1 month ago

Package URl

pkg:maven/dnsjava/dnsjava@2.1.7

CPE

null

CVE

CVE-2024-25638

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

10.0.3

Description

https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw https://nvd.nist.gov/vuln/detail/CVE-2024-25638#VulnChangeHistorySection This vulnerability is still under analysis on the nvd website. In github, this vulnerability only affects version 3.5.0 of dnsjava. 2.1.7 shall be unaffected.

github-actions[bot] commented 1 month ago

Maven Coordinates

<dependency>
   <groupId>dnsjava</groupId>
   <artifactId>dnsjava</artifactId>
   <version>2.1.7</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6984
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/dnsjava/dnsjava@.*$</packageUrl>
   <cpe>cpe:/a:undefined:undefined</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11008424945

aikebah commented 1 month ago

GHSA listed is not a source for DependencyCheck. NVD is, but as you indicate still needs to attribute the versions. OSSINDEX is also a source and in there your exact version of the library is flagged as affected by the CVE.

Note that typically OSSINDEX does not take the CVE report at face value, but has their own team that decides on the applicability and may even decide to not accept a software change as fixing the reported vulnerability.

ODC correctly reports that one of the consulted resources (in this case OSSINDEX) is flagging the evaluated library as affected by the CVE.