Open MidasJAF opened 7 hours ago
Maven Coordinates
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-json</artifactId>
<version>1.3.0</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #7066
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure-json@.*$</packageUrl>
<cpe>cpe:/a:microsoft:azure_cli</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11439597328
For context I'm getting the xml reports from the jenkins plugin.
Package URl
pkg:maven/com.azure/azure-json@1.3.0
CPE
cpe:2.3:a:microsoft:azure_cli:1.3.0:*:*:*:*:*:*:*
CVE
CVE-2024-43591
ODC Integration
{"label"=>"CLI"}
ODC Version
10.0.2
Description
azure-json
has no azure dependencies, and it doesn't seem to be calling the cli directly. Both the package and the cli are related to azure, but otherwise I don't see how they are connected.I don't have the html report, so I'm getting the values from the xml output. There are two cpe identifiers, but there are also two vulnerabilities on
azure-json@1.3.0
. If they are ordered, the attached cpe should be the correct one. For completeness sake the other cpe iscpe:2.3:a:microsoft:azure_sdk_for_java:1.3.0:*:*:*:*:*:*:*
and the other CVE isCVE-2023-36052
.I'll make a separate report for the other False Positive, but wanted to wait until I'm certain I'm reading the report correctly.