[FP]: Wrongly reporting vulnerability CVE-2024-20506 on clamav-client-1.0.1.jar

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.35k stars 1.27k forks source link

[FP]: Wrongly reporting vulnerability CVE-2024-20506 on clamav-client-1.0.1.jar #7025

Open jennie-ju opened 5 hours ago

jennie-ju commented 5 hours ago

Package URl

pkg:maven/fi.solita.clamav/clamav-client@1.0.1

CPE

cpe:2.3:a:clamav:clamav:1.0.1:*:*:*:*:*:*:*

CVE

CVE-2024-20506

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

10.0.3

Description

CVE reported for clamav is alerting on the clamav-client library, which is incorrect. Similar to #7018 and #7017.

github-actions[bot] commented 5 hours ago

Maven Coordinates

<dependency>
   <groupId>fi.solita.clamav</groupId>
   <artifactId>clamav-client</artifactId>
   <version>1.0.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7025
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/fi\.solita\.clamav/clamav-client@.*$</packageUrl>
   <cpe>cpe:/a:clamav:clamav</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11263616245