[FP]: Numerous projects erroneously identified as Hamba avro #6102
Comments
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/6956918821 |
|
Non-public dependencies have to be mitigated by the authors themselves. The HTML report will have all evidences harvested by DependencyCheck. You'll likely to find avro references in all of them (in some other item than the groupId/ artifactId). |
|
You are right, the mentioned dependency has the word avro in its description. My point is that the CPE should match hamba avro only, not everything with avro in it. There have been several similar cases in the past with identifiers like xxx_project, matching xxx in a lot of other packages. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Package URl
pkg:maven/com.syniverse.gsm.etl/[email protected]
CPE
cpe:2.3:a:avro_project:avro:2.10.0:*:*:*:*:*:*:*CVE
No response
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
8.4.3
Description
The mentioned package and many other of our internal packages are identified as Hamba avro. Some of the packages have "avro" in their names and some do not.
The text was updated successfully, but these errors were encountered: