[FP]: commons-configuration for CVE-2024-29131

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.36k stars 1.27k forks source link

[FP]: commons-configuration for CVE-2024-29131 #7042

Open edward9944 opened 13 hours ago

edward9944 commented 13 hours ago

Package URl

pkg:maven/commons-configuration/commons-configuration@1.6

CPE

cpe:2.3:a:apache:commons_configuration:1.6:::::::*

CVE

CVE-2024-29131

ODC Integration

None

ODC Version

10.0.4

Description

The actual vulnerable class is AbstractListDelimiterHandler, which is not found in the commons-configuration artifact but is only present in the commons-configuration2 artifact.

github-actions[bot] commented 13 hours ago

Maven Coordinates

<dependency>
   <groupId>commons-configuration</groupId>
   <artifactId>commons-configuration</artifactId>
   <version>1.6</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7042
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/commons-configuration/commons-configuration@.*$</packageUrl>
   <cpe>cpe:/a:apache:commons_configuration</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11321679435

aikebah commented 7 hours ago

Whether or not this is a false positive you would have to take up with Sonatype OSSINDEX. ODC correctly reports that according to their API the version is vulnerable (OSSINDEX is queried with the exact library version and responding that CVE as applicable for that specific library&version)