Open edward9944 opened 13 hours ago
Maven Coordinates
<dependency>
<groupId>commons-configuration</groupId>
<artifactId>commons-configuration</artifactId>
<version>1.6</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #7042
]]></notes>
<packageUrl regex="true">^pkg:maven/commons-configuration/commons-configuration@.*$</packageUrl>
<cpe>cpe:/a:apache:commons_configuration</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11321679435
Whether or not this is a false positive you would have to take up with Sonatype OSSINDEX. ODC correctly reports that according to their API the version is vulnerable (OSSINDEX is queried with the exact library version and responding that CVE as applicable for that specific library&version)
Package URl
pkg:maven/commons-configuration/commons-configuration@1.6
CPE
cpe:2.3:a:apache:commons_configuration:1.6:::::::*
CVE
CVE-2024-29131
ODC Integration
None
ODC Version
10.0.4
Description
The actual vulnerable class is AbstractListDelimiterHandler, which is not found in the commons-configuration artifact but is only present in the commons-configuration2 artifact.