[FP]: False positive for CVE-2023-36415 in azure-identity

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.35k stars 1.27k forks source link

[FP]: False positive for CVE-2023-36415 in azure-identity #6999

Open rokoman13 opened 1 week ago

rokoman13 commented 1 week ago

Package URl

pkg:maven/com.azure/azure-identity@1.12.2

CPE

cpe:2.3:a:microsoft:azure_sdk_for_java:1.12.2:*:*:*:*:*:*:*

CVE

CVE-2023-36415

ODC Integration

None

ODC Version

10.0.4

Description

I see that vuln is actual for azure-identity (java) up to 1.10.2, but my version is 1.12.2 and CVE is still in the report (also tried azure-identity 1.13.3, the same thing)

github-actions[bot] commented 1 week ago

Maven Coordinates

<dependency>
   <groupId>com.azure</groupId>
   <artifactId>azure-identity</artifactId>
   <version>1.12.2</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6999
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.azure/azure-identity@.*$</packageUrl>
   <cpe>cpe:/a:microsoft:azure_sdk_for_java</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11101458486