[FP]: CVE-2024-47554 reported on Pax-Url-Ather

[karthickm512]

Package URl

pkg:maven/org.ops4j.pax.url/pax-url-aether@2.6.14

CPE

cpe:2.3:a:apache:commons_io:2.11.0:*:*:*:*:*:*:*

CVE

CVE-2024-47554

ODC Integration

None

ODC Version

11.1.0

Description

While scanning Apache Karaf 4.4.6 https://mvnrepository.com/artifact/org.apache.karaf/apache-karaf/4.4.6 that includes pax-url-ather 2.6.14, we get CVE-2024-47554 flagged. But upon inspecting the jar of this pax-url-ather we see that there is only a pom.xml reference of commons-io 2.11.0 but no jar being packed and no import/export reference of commons-io.

[github-actions[bot]]

Maven Coordinates

<dependency>
   <groupId>commons-io</groupId>
   <artifactId>commons-io</artifactId>
   <version>2.11.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7179
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/commons-io/commons-io@.*$</packageUrl>
   <cpe>cpe:/a:apache:commons_io</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11967932883

[aikebah]

You should look better. Inside the shaded folder of the jar are the shaded classes of commons-io

[github-actions[bot]]

Maven Coordinates

<dependency>
   <groupId>org.ops4j.pax.url</groupId>
   <artifactId>pax-url-aether</artifactId>
   <version>2.6.14</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7179
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.ops4j\.pax\.url/pax-url-aether@.*$</packageUrl>
   <cpe>cpe:/a:apache:commons_io</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11978970282