[FP]: False positive for lucene-codecs on CVE-2024-45772

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.36k stars 1.27k forks source link

[FP]: False positive for lucene-codecs on CVE-2024-45772 #7048

Open jubui opened 3 hours ago

jubui commented 3 hours ago

Package URl

pkg:maven/org.apache.lucene/lucene-codecs@9.10.0

CPE

cpe:2.3:a:apache:lucene:9.10.0: *:*:*:*:*:*:*

CVE

CVE-2024-45772

ODC Integration

None

ODC Version

10.0.3

Description

This applies to all lucene-codec versions, because the reported CVE is against lucene-replicator

github-actions[bot] commented 3 hours ago

Maven Coordinates

<dependency>
   <groupId>org.apache.lucene</groupId>
   <artifactId>lucene-codecs</artifactId>
   <version>9.10.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7048
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.apache\.lucene/lucene-codecs@.*$</packageUrl>
   <cpe>cpe:/a:apache:lucene</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11345495664