search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.36k stars 1.27k forks source link

[FP]: False positive for lucene modules except lucene-replicator on CVE-2024-45772 #7049

Open jubui opened 2 hours ago

jubui commented 2 hours ago

Package URl

pkg:maven/org.apache.lucene/lucene-codecs@9.10.0 pkg:maven/org.apache.lucene/lucene-core@9.10.0 pkg:maven/org.apache.lucene/lucene-spatial3d@9.10.0

pkg:maven/org.apache.lucene/lucene-analyzers-common@8.11.3 pkg:maven/org.apache.lucene/lucene-backward-codecs@8.11.3 pkg:maven/org.apache.lucene/lucene-core@8.11.3 pkg:maven/org.apache.lucene/lucene-grouping@8.11.3 pkg:maven/org.apache.lucene/lucene-highlighter@8.11.3 pkg:maven/org.apache.lucene/lucene-join@8.11.3 pkg:maven/org.apache.lucene/lucene-memory@8.11.3 pkg:maven/org.apache.lucene/lucene-misc@8.11.3 pkg:maven/org.apache.lucene/lucene-queries@8.11.3 pkg:maven/org.apache.lucene/lucene-queryparser@8.11.3 pkg:maven/org.apache.lucene/lucene-sandbox@8.11.3 pkg:maven/org.apache.lucene/lucene-spatial3d@8.11.3 pkg:maven/org.apache.lucene/lucene-suggest@8.11.3 pkg:maven/org.apache.lucene/lucene-expressions@8.11.3 pkg:maven/org.apache.lucene/lucene-spatial-extras@8.11.3

CPE

cpe:2.3:a:apache:lucene:9.10.0: *:*:*:*:*:*:*

CVE

CVE-2024-45772

ODC Integration

None

ODC Version

10.0.3

Description

For all the packages listed, this false positive applies to all versions, because the reported CVE is against a different module, lucene-replicator

github-actions[bot] commented 2 hours ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/11345511395

github-actions[bot] commented 2 hours ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/11345515364

github-actions[bot] commented 2 hours ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/11345664380

github-actions[bot] commented 2 hours ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/11345669827

github-actions[bot] commented 2 hours ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/11345675304