Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FP]: CVE-2023-36414, CVE-2023-36415 on com.azure azure-identity-extensions #6491

Closed
eliasmueller opened this issue Feb 28, 2024 · 4 comments
Labels
FP Report maven changes to the maven plugin

Comments

@eliasmueller
Copy link

eliasmueller commented Feb 28, 2024

Package URl

pkg:maven/com.azure/[email protected]

CPE

cpe:2.3:a:microsoft:azure_cli:1.1.13:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_identity_sdk:1.1.13:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_sdk_for_java:1.1.13:*:*:*:*:*:*:*

CVE

CVE-2023-36414, CVE-2023-36415

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

9.0.9

Description

Based on my understanding and what the Microsoft reports show, those vulnerabilities are limited to the azure-identity library patched in version 1.10.2, and not part of the azure-identity-extensions library, which references 1.11.1:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36414
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36415

Therefore, I assume this to be a false positive.

Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>com.azure</groupId>
   <artifactId>azure-identity-extensions</artifactId>
   <version>1.1.13</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6491
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.azure/azure-identity-extensions@.*$</packageUrl>
   <cpe>cpe:/a:microsoft:azure_cli</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/8076844697

@github-actions github-actions bot added the maven changes to the maven plugin label Feb 28, 2024
Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>com.azure</groupId>
   <artifactId>azure-identity-extensions</artifactId>
   <version>1.1.13</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6491
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.azure/azure-identity-extensions@.*$</packageUrl>
   <cpe>cpe:/a:microsoft:azure_cli</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/8078200830

@chadlwilson
Copy link
Contributor

Approved.

azure-identity-extensions is versioned independently of all the CPEs mentioned here, even though there is an ongoing challenge with the language discriminators in CPEs not being understood by ODC.

@eliasmueller The automation here can only handle one CPE at a time, so if the CVEs here are still showing up from other CPEs after this merge, you might need to raise new FP reports for those.

Copy link
Contributor

Suppress rule has been added to the generatedSuppressions branch.

github-actions bot added a commit that referenced this issue Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
FP Report maven changes to the maven plugin
Projects
None yet
Development

No branches or pull requests

2 participants