[FP]: (regression of #6695) CVE-2022-21704 still gets flagged on a Node.js dependency, #6869
Comments
|
Maven Coordinates <dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j2-impl</artifactId>
<version>2.23.1</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6869
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.logging\.log4j/log4j-slf4j2-impl@.*$</packageUrl>
<cpe>cpe:/a:log4js_project:log4js</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10059660424 |
|
This yet another example of a FP as result of a platform/language mismatch. @OrangeDog FYI |
aikebah
added a commit
that referenced
this issue
Aug 24, 2024
Fixup the wrongly added suppression as per comment b2052fb#r142470093 and issue #6869
|
The original suppression from #6695 has been corrected and FP suppression automation has published the updated hosted suppressions file |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Package URl
pkg:maven/org.apache.logging.log4j/[email protected]
CPE
cpe:2.3:a:log4js_project:log4js:2.23.1:*:*:*:*:*:*:*CVE
CVE-2022-21704
ODC Integration
{"label"=>"Gradle Plugin"}
ODC Version
10.0.3
Description
As I stated in this comment, the previous regression didn't work.
In this other comment, I shared required change to make it work.
TL;DR: the CPE section in the suppression has to be changed as follows:
The text was updated successfully, but these errors were encountered: