search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.37k stars 1.27k forks source link

[FP]: False positive for azure-json@1.3.0 against CVE-2024-43591 #7066

Open MidasJAF opened 7 hours ago

MidasJAF commented 7 hours ago

Package URl

pkg:maven/com.azure/azure-json@1.3.0

CPE

cpe:2.3:a:microsoft:azure_cli:1.3.0:*:*:*:*:*:*:*

CVE

CVE-2024-43591

ODC Integration

{"label"=>"CLI"}

ODC Version

10.0.2

Description

azure-json has no azure dependencies, and it doesn't seem to be calling the cli directly. Both the package and the cli are related to azure, but otherwise I don't see how they are connected.

I don't have the html report, so I'm getting the values from the xml output. There are two cpe identifiers, but there are also two vulnerabilities on azure-json@1.3.0. If they are ordered, the attached cpe should be the correct one. For completeness sake the other cpe is cpe:2.3:a:microsoft:azure_sdk_for_java:1.3.0:*:*:*:*:*:*:* and the other CVE is CVE-2023-36052.

I'll make a separate report for the other False Positive, but wanted to wait until I'm certain I'm reading the report correctly.

github-actions[bot] commented 7 hours ago

Maven Coordinates

<dependency>
   <groupId>com.azure</groupId>
   <artifactId>azure-json</artifactId>
   <version>1.3.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7066
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.azure/azure-json@.*$</packageUrl>
   <cpe>cpe:/a:microsoft:azure_cli</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11439597328

MidasJAF commented 6 hours ago

For context I'm getting the xml reports from the jenkins plugin.