[FP]: False positive for CVE-2009-2704 and CVE-2009-2705 in SiteMinder J2EE

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.4k stars 1.27k forks source link

[FP]: False positive for CVE-2009-2704 and CVE-2009-2705 in SiteMinder J2EE #7001

Open gobiltd opened 3 weeks ago

gobiltd commented 3 weeks ago

Package URl

testj2ee.jar

CPE

cpe:2.3:a:sun:j2ee:::::::: AND cpe:2.3:a:broadcom:siteminder::::::::

CVE

CVE-2009-2704, CVE-2009-2705

ODC Integration

{"label"=>"CLI"}

ODC Version

8.2.1

Description

As per NVD , these CVE-2009-2704 and CVE-2009-2705 should be valid if we have combination of cpe:2.3:a:sun:j2ee:::::::: and cpe:2.3:a:broadcom:siteminder:::::::: in scanned project. However, the CVE-2009-2704 and CVE-2009-2705 is getting reported even if we have only one of the matching CPE (cpe:2.3:a:sun:j2ee::::::::) related jar

github-actions[bot] commented 3 weeks ago

Error parsing package url: testj2ee.jar.

Error: Error: Invalid purl: missing required "pkg" scheme component

Please correct the package URL - consider copying the package url from the HTML report.

github-actions[bot] commented 3 weeks ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/11124104703

chadlwilson commented 1 week ago

If this is your own testing jar (not something on maven central etc) you'd have to add your own suppression.