jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.41k stars 1.27k forks source link

[FP]: False positive for azure-core-amqp@2.9.9 against CVE-2024-43591 #7124

Open MidasJAF opened 2 hours ago

MidasJAF commented 2 hours ago

Package URl

pkg:maven/com.azure/azure-core-amqp@2.9.9

CPE

cpe:2.3:a:microsoft:azure_cli:2.9.9:*:*:*:*:*:*:*

CVE

CVE-2024-43591

ODC Integration

{"label"=>"CLI"}

ODC Version

10.0.2

Description

Releated to https://github.com/jeremylong/DependencyCheck/issues/7066 and https://github.com/jeremylong/DependencyCheck/issues/7110. Obviously it doesn't look like a java library for amqp is related to the azure cli, but I suppose it isn't impossible. It seems it's just the pattern that confuses anything azure related. Are the patterns themselves enough to conclude this is a false positive?

github-actions[bot] commented 2 hours ago

Maven Coordinates

<dependency>
   <groupId>com.azure</groupId>
   <artifactId>azure-core-amqp</artifactId>
   <version>2.9.9</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7124
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.azure/azure-core-amqp@.*$</packageUrl>
   <cpe>cpe:/a:microsoft:azure_cli</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11611990932