[FP]: txw2-4.0.5.jar detected as eclipse glassfish

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.42k stars 1.28k forks source link

[FP]: txw2-4.0.5.jar detected as eclipse glassfish #7020

Closed davidmstirn closed 3 weeks ago

davidmstirn commented 4 weeks ago

Package URl

pkg:maven/org.glassfish.jaxb/txw2@4.0.5

CPE

cpe:2.3:a:eclipse:glassfish:4.0.5:*:*:*:*:*:*:*

CVE

CVE-2024-9329

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

10.0.1

Description

Seems like some jaxb dependencies are being picked up as eclipse glassfish

github-actions[bot] commented 4 weeks ago

Maven Coordinates

<dependency>
   <groupId>org.glassfish.jaxb</groupId>
   <artifactId>txw2</artifactId>
   <version>4.0.5</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7020
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.glassfish\.jaxb/txw2@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:glassfish</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11237671015

chadlwilson commented 4 weeks ago

Dupe of #7015, already fixed in #7016 but needs another "automated" FP report to be merged before it gets published.