Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FP]: several CVE detected for org.mortbay.jasper.apache-el-9.0.90.jar #7047

Closed
MrAkansh opened this issue Oct 15, 2024 · 12 comments
Closed
Labels
FP Report maven changes to the maven plugin

Comments

@MrAkansh
Copy link

MrAkansh commented Oct 15, 2024

Package URl

pkg:maven/org.mortbay.jasper/[email protected]

CPE

cpe:2.3:a:eclipse:jetty:9.0.90:::::::, cpe:2.3:a:jetty:jetty:9.0.90:::::::, cpe:2.3:a:mortbay:jetty:9.0.90:::::::, cpe:2.3:a:mortbay_jetty:jetty:9.0.90:::::::

CVE

CVE-2017-7657 CVE-2017-7658 CVE-2017-7656 CVE-2017-9735 CVE-2021-28165 CVE-2022-2048 CVE-2023-44487 CVE-2020-27216 CVE-2018-12536 CVE-2021-28169 CVE-2023-26048 CVE-2023-26049 CVE-2023-40167 CVE-2023-36479 CVE-2021-34428 CVE-2022-2047

ODC Integration

None

ODC Version

10.0.4

Description

There are many CVE identified for org.mortbay.jasper.apache-el-9.0.90.jar .

CVE-2017-7657 CVE-2017-7658 CVE-2017-7656 CVE-2017-9735 CVE-2021-28165 CVE-2022-2048 CVE-2023-44487 CVE-2020-27216 CVE-2018-12536 CVE-2021-28169 CVE-2023-26048 CVE-2023-26049 CVE-2023-40167 CVE-2023-36479 CVE-2021-34428 CVE-2022-2047

On the official Maven, there none of the above CVEs mentioned for this OSS jar. Please reivew

Copy link
Contributor

Error parsing package url: https://mvnrepository.com/artifact/org.mortbay.jasper/apache-el/9.0.90.

Error: Error: Invalid purl: missing required "pkg" scheme component

Please correct the package URL - consider copying the package url from the HTML report.

Copy link
Contributor

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/11340589366

Copy link
Contributor

Error parsing package url: https://mvnrepository.com/artifact/org.mortbay.jasper/apache-el/9.0.90.

Error: Error: Invalid purl: missing required "pkg" scheme component

Please correct the package URL - consider copying the package url from the HTML report.

Copy link
Contributor

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/11340597001

@MrAkansh
Copy link
Author

pkg:maven/org.mortbay.jasper/[email protected]

Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>org.mortbay.jasper</groupId>
   <artifactId>apache-el</artifactId>
   <version>9.0.90</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7047
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache-el@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11340611220

@github-actions github-actions bot added the maven changes to the maven plugin label Oct 15, 2024
@aikebah
Copy link
Collaborator

aikebah commented Oct 16, 2024

DependencyCheck project takes all libraries under one CPE as a whole and makes by design no attempt to map the CVEs registered against those in the NVD to the subcomponent that it applies to.

org.mortbay.jasper.apache-el is versioned together with the rest of Eclipse Jetty so that any vulnerability applicable to it would be listed in the NVD under the Jetty CPE.

Therefor it is up to the users to triage the NVD registered vulnerabilities for applicability to the component when they cannot upgrade to the version of Jetty that fixed the vulnerability (in another part of the Jetty libraries)

@aikebah aikebah closed this as not planned Won't fix, can't repro, duplicate, stale Oct 20, 2024
@MrAkansh
Copy link
Author

MrAkansh commented Oct 21, 2024

https://mvnrepository.com/artifact/org.mortbay.jasper/apache-el/9.0.90

[email protected] jar was released on Jun 27, 2024 and is part of jetty 12.0.8

None of the following vulnerabilities seems tagged to [email protected] or jetty 12.0.8. @aikebah , Please review and help to identify the problem area.

CVE-2017-7657 CVE-2017-7658 CVE-2017-7656 CVE-2017-9735 CVE-2021-28165 CVE-2022-2048 CVE-2023-44487 CVE-2020-27216 CVE-2018-12536 CVE-2021-28169 CVE-2023-26048 CVE-2023-26049 CVE-2023-40167 CVE-2023-36479 CVE-2021-34428 CVE-2022-2047

@aikebah
Copy link
Collaborator

aikebah commented Oct 23, 2024

Ah... right, I stand corrected, jasper-jsp is a project separately versioned from Jetty itself at https://github.com/jetty-project/jasper-jsp (whereas Jetty is at https://github.com/jetty/jetty.project )

@aikebah aikebah reopened this Oct 23, 2024
@aikebah aikebah removed the won't fix label Oct 23, 2024
Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>org.mortbay.jasper</groupId>
   <artifactId>apache-el</artifactId>
   <version>9.0.90</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7047
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache-el@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:jetty</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11481471404

@aikebah
Copy link
Collaborator

aikebah commented Oct 23, 2024

approved

Copy link
Contributor

Suppress rule has been added to the generatedSuppressions branch.

github-actions bot added a commit that referenced this issue Oct 23, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 4, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FP Report maven changes to the maven plugin
Projects
None yet
Development

No branches or pull requests

2 participants