-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: CVE-2021-3765, validator.js dependency gets flagged on hibernate-validator dependencies #6692
Comments
Maven Coordinates <dependency>
<groupId>org.hibernate.validator</groupId>
<artifactId>hibernate-validator</artifactId>
<version>8.0.1.Final</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6692
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.hibernate\.validator/hibernate-validator@.*$</packageUrl>
<cpe>cpe:/a:validator_project:validator</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9268402034 |
This is one of multiple FPs of Node.js vulnerabilities that suddenly got flagged on Java/JVM dependencies while I was upgrading Kotlin from 1.9.x to 2.0, apparently because the CPE had an asterisk in the third position, which should have contained the string
|
approved |
Suppress rule has been added to the |
@jeremylong It still flags the other one with the suppression in the automated fix commit:
|
@jeremylong Adding another <suppress base="true">
<notes><![CDATA[
FP per issue #6692
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.hibernate\.validator/hibernate-validator.*@.*$</packageUrl>
<cpe>cpe:/a:validator_project:validator</cpe>
</suppress> |
Package URl
pkg:maven/org.hibernate.validator/[email protected]
CPE
cpe:2.3:a:validator_project:validator:8.0.1:::::::*
CVE
CVE-2021-3765
ODC Integration
{"label"=>"Gradle Plugin"}
ODC Version
9.2.0
Description
Vulnerability
CVE-2021-3765
, which applies tovalidator.js
(a Node.js library) gets flagged onhibernate-validator
dependencies:Strangely enough, this suddenly got flagged (along with a bunch of other vulnerabilities) while I tried to upgrade a project from Kotlin 1.9.x to Kotlin 2.0. But the dependencies that suddenly got flagged with that upgrade weren't related to the Kotlin 2.0 upgrade.
Also worth noting: according to NIST, the CPE should in fact be
cpe:2.3:a:validator_project:validator:*:*:*:*:*:node.js:*:*
but the CPE that the DendencyCheck Gradle plugin flags has a wildcard in place of the.node.js
part. Perhaps that's what's causing this false positive?The text was updated successfully, but these errors were encountered: