search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.38k stars 1.27k forks source link

[FP]: agrona #7073

Closed Philippus closed 2 hours ago

Philippus commented 3 hours ago

Package URl

pkg:maven/org.agrona/agrona@1.22.0

CPE

cpe:2.3:a:protonmail:protonmail:1.22.0:*:*:*:*:*:*:*

CVE

CVE-2021-32816

ODC Integration

None

ODC Version

8.1.2

Description

Latest version of agrona (1.23.1) also gives a false positive.

github-actions[bot] commented 3 hours ago

Maven Coordinates

<dependency>
   <groupId>org.agrona</groupId>
   <artifactId>agrona</artifactId>
   <version>1.22.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7073
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.agrona/agrona@.*$</packageUrl>
   <cpe>cpe:/a:protonmail:protonmail</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11465686955

aikebah commented 2 hours ago

approved

github-actions[bot] commented 2 hours ago

Suppress rule has been added to the generatedSuppressions branch.