[FP]: Wrongly reporting vulnerability CVE-2024-20505 on clamav-client-1.0.1.jar #7018
Comments
|
Maven Coordinates <dependency>
<groupId>fi.solita.clamav</groupId>
<artifactId>clamav-client</artifactId>
<version>1.0.1</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #7018
]]></notes>
<packageUrl regex="true">^pkg:maven/fi\.solita\.clamav/clamav-client@.*$</packageUrl>
<cpe>cpe:/a:clamav:clamav</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11229202396 |
|
This FP looks legit @aikebah - can we get this one in? :-) |
|
approved |
|
Suppress rule has been added to the |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Package URl
pkg:maven/fi.solita.clamav/[email protected]
CPE
cpe:2.3:a:clamav:clamav:::::::: versions from (including) 0.104.0; versions up to (excluding) 1.0.7
CVE
CVE-2024-20505
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
10.0.2
Description
This CVE-2024-20505 impacts only on "clamav:clamav" packages as per NVD and cpe provided. But tool is reporting it on "fi.solita.clamav/[email protected]" jars as well which is wrong.
From Dependency Check tool team, we need confirmation on these false positives. Could you please validate and confirm?
The text was updated successfully, but these errors were encountered: