[FP]: keycloak-pax-web-undertow-18.0.2 mapped to CVE-2024-7341

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.35k stars 1.27k forks source link

[FP]: keycloak-pax-web-undertow-18.0.2 mapped to CVE-2024-7341 #7012

Open rajeeviiit2108 opened 6 days ago

rajeeviiit2108 commented 6 days ago

Package URl

pkg:maven/org.keycloak/keycloak-pax-web-undertow@18.0.2

CPE

cpe:2.3:a:keycloak:keycloak:18.0.2:::::::*

CVE

CVE-2024-7341

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

{"label"=>"Maven Plugin"}

Description

While scanning against our Karaf 4.4.4 image, Dependency Checker reports incorrectly matching mvn:org.keycloak/keycloak-osgi-features/18.0.2 to redhat keycloak that is affected by the mentioned CVE

github-actions[bot] commented 6 days ago

Maven Coordinates

<dependency>
   <groupId>org.keycloak</groupId>
   <artifactId>keycloak-pax-web-undertow</artifactId>
   <version>18.0.2</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7012
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak-pax-web-undertow@.*$</packageUrl>
   <cpe>cpe:/a:keycloak:keycloak</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11209902050