Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FP]: spring-boot-jarmode-tools incorrectly identified as vmware:tools #6725

Closed
MichaelVetter opened this issue Jun 14, 2024 · 7 comments
Closed

[FP]: spring-boot-jarmode-tools incorrectly identified as vmware:tools #6725

MichaelVetter opened this issue Jun 14, 2024 · 7 comments
Labels
FP Report maven changes to the maven plugin

Comments

@MichaelVetter
Copy link

Package URl

pkg:maven/org.springframework.boot/[email protected]

CPE

cpe:2.3:a:vmware:tools:3.3.0:*:*:*:*:*:*:*

CVE

No response

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

9.2.0

Description

No response
@github-actions GitHub Actions
Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-jarmode-tools</artifactId>
   <version>3.3.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6725
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring-boot-jarmode-tools@.*$</packageUrl>
   <cpe>cpe:/a:vmware:tools</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9514606574

@github-actions github-actions bot added the maven changes to the maven plugin label Jun 14, 2024
@aikebah
Copy link
Collaborator

aikebah commented Jun 29, 2024

approved

@github-actions GitHub Actions
Copy link
Contributor

Suppress rule has been added to the generatedSuppressions branch.

github-actions bot added a commit that referenced this issue Jun 29, 2024
@github-actions
fix(fp): FP per issue #6725
06a7dc0
@rpaasche
Copy link

@aikebah
Is this already release? Currently, we get CVE-2016-7079 (and some more vmware-tool related) for spring-boot-jarmode-tools-3.3.4.jar.

Using dependency-check 10.0.4

@aikebah
Copy link
Collaborator

aikebah commented Sep 26, 2024

@rpaasche Resolutions by the bot are immediately available as a suppression in the hosted suppressions file (assuming that you run your scans with internet connectivity it should become active as soon as the currently cached hostedSuppressions file expires - 2hrs after its latest retrieval in the default setup)

Check you scan report to see whether it properly identifies your jar as the maven package (pkg:maven/.....) listed above in the suppression. Suppressions we add in this project are typically based on the package-url of the library.

@rpaasche
Copy link

@aikebah

I see the problem now:

2024-09-26 21:06:01 |  [WARN] Hosted Suppressions file is empty or missing - attempting to force the update
2024-09-26 21:06:01 |  [WARN] Empty Hosted Suppression file after update, results may contain false positives already resolved by the DependencyCheck project due to failed download of the hosted suppression file

Will investigate this.

Thank you.

@rpaasche
Copy link

@aikebah

Found the reason and opened #6993

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 6, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FP Report maven changes to the maven plugin
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aikebah @MichaelVetter @rpaasche