Closed madawei2699 closed 2 years ago
Thanks for the report!
False Positive reports are much welcome in the underlying library, namely https://github.com/jeremylong/DependencyCheck
In the meantime you can suppress this via :suppression-file
: https://github.com/rm-hull/nvd-clojure/tree/f9a7a90a51bb8b55fd85a3b7df25e0cc14388636#configuration-options
Cheers - V
Thanks!
So I think the issue is caused by nvd-clojure recognizing the wrong version of nginx in nginx-clojure lib.
The only 'recognition' that is performed is parsing a classpath. Ideally passing a classpath is your responsibility, as documented in https://github.com/rm-hull/nvd-clojure/tree/f9a7a90a51bb8b55fd85a3b7df25e0cc14388636#avoiding-classpath-interference
Please make sure to use those ways (or the new one based on clojure -Ttools
); older ways of invoking this program are a little more prone to issues.
The nvd-clojure is ok, but the DependencyCheck
recognizes error CPE version, this is the issue: https://github.com/jeremylong/DependencyCheck/issues/3842
nginx Clojure 0.5.2 is built with Nginx v1.18.0, but nvd-clojure detected CVE-2019-20372 vulnerability which affects NGINX before 1.17.7.
After investigation, I found it is related to the
nvd.nist.gov
backend service. the vulnerability id iscpe:2.3:a:nginx:nginx:0.5.2:*:*:*:*:*:*:*
and if you usenvd.nist.gov
web to refine the search and reset CPE info with these inputs:and the result is none.
So I think the issue is caused by nvd-clojure recognizing the wrong version of nginx in nginx-clojure lib.