-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: CVE-2023-36414, CVE-2023-36415 on com.azure azure-identity-extensions #6491
Comments
Maven Coordinates <dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity-extensions</artifactId>
<version>1.1.13</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6491
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure-identity-extensions@.*$</packageUrl>
<cpe>cpe:/a:microsoft:azure_cli</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/8076844697 |
Maven Coordinates <dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity-extensions</artifactId>
<version>1.1.13</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6491
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure-identity-extensions@.*$</packageUrl>
<cpe>cpe:/a:microsoft:azure_cli</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/8078200830 |
Approved. azure-identity-extensions is versioned independently of all the CPEs mentioned here, even though there is an ongoing challenge with the language discriminators in CPEs not being understood by ODC. @eliasmueller The automation here can only handle one CPE at a time, so if the CVEs here are still showing up from other CPEs after this merge, you might need to raise new FP reports for those. |
Suppress rule has been added to the |
Package URl
pkg:maven/com.azure/[email protected]
CPE
cpe:2.3:a:microsoft:azure_cli:1.1.13:*:*:*:*:*:*:*
,cpe:2.3:a:microsoft:azure_identity_sdk:1.1.13:*:*:*:*:*:*:*
,cpe:2.3:a:microsoft:azure_sdk_for_java:1.1.13:*:*:*:*:*:*:*
CVE
CVE-2023-36414, CVE-2023-36415
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
9.0.9
Description
Based on my understanding and what the Microsoft reports show, those vulnerabilities are limited to the azure-identity library patched in version 1.10.2, and not part of the azure-identity-extensions library, which references 1.11.1:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36414
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36415
Therefore, I assume this to be a false positive.
The text was updated successfully, but these errors were encountered: