[FP]: False positive for CVE-2024-35255 in azure-identity

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.48k stars 1.29k forks source link

[FP]: False positive for CVE-2024-35255 in azure-identity #7000

Open rokoman13 opened 2 months ago

rokoman13 commented 2 months ago

Package URl

pkg:maven/com.azure/azure-identity@1.12.2

CPE

cpe:2.3:a:microsoft:azure_identity_sdk::::::java::*

CVE

CVE-2024-35255

ODC Integration

None

ODC Version

10.0.4

Description

I see that vuln is actual for azure-identity (java) up to 1.12.2 (excluding), but my version is 1.12.2 and CVE is still in the report (also tried azure-identity 1.13.3, the same thing)

github-actions[bot] commented 2 months ago

Maven Coordinates

<dependency>
   <groupId>com.azure</groupId>
   <artifactId>azure-identity</artifactId>
   <version>1.12.2</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7000
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.azure/azure-identity@.*$</packageUrl>
   <cpe>cpe:/a:microsoft:azure_identity_sdk</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11101489749

rokoman13 commented 1 month ago

@aikebah hello! could you check this FP report please?

aikebah commented 1 month ago

@rokoman13 The discriminator in the CPE that would allow to fix it (target_sw with the values java vs python vs javascript vs .net for this library) is currently not taken into account, so that the joined version ranges across the languages determines the versions reported as vulnerable.