-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: several CVE detected for org.mortbay.jasper.apache-el-9.0.90.jar #7047
Comments
Error parsing package url: https://mvnrepository.com/artifact/org.mortbay.jasper/apache-el/9.0.90. Error: Error: Invalid purl: missing required "pkg" scheme component Please correct the package URL - consider copying the package url from the HTML report. |
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/11340589366 |
Error parsing package url: https://mvnrepository.com/artifact/org.mortbay.jasper/apache-el/9.0.90. Error: Error: Invalid purl: missing required "pkg" scheme component Please correct the package URL - consider copying the package url from the HTML report. |
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/11340597001 |
pkg:maven/org.mortbay.jasper/[email protected] |
Maven Coordinates <dependency>
<groupId>org.mortbay.jasper</groupId>
<artifactId>apache-el</artifactId>
<version>9.0.90</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #7047
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache-el@.*$</packageUrl>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11340611220 |
DependencyCheck project takes all libraries under one CPE as a whole and makes by design no attempt to map the CVEs registered against those in the NVD to the subcomponent that it applies to. org.mortbay.jasper.apache-el is versioned together with the rest of Eclipse Jetty so that any vulnerability applicable to it would be listed in the NVD under the Jetty CPE. Therefor it is up to the users to triage the NVD registered vulnerabilities for applicability to the component when they cannot upgrade to the version of Jetty that fixed the vulnerability (in another part of the Jetty libraries) |
https://mvnrepository.com/artifact/org.mortbay.jasper/apache-el/9.0.90 [email protected] jar was released on Jun 27, 2024 and is part of jetty 12.0.8 None of the following vulnerabilities seems tagged to [email protected] or jetty 12.0.8. @aikebah , Please review and help to identify the problem area. CVE-2017-7657 CVE-2017-7658 CVE-2017-7656 CVE-2017-9735 CVE-2021-28165 CVE-2022-2048 CVE-2023-44487 CVE-2020-27216 CVE-2018-12536 CVE-2021-28169 CVE-2023-26048 CVE-2023-26049 CVE-2023-40167 CVE-2023-36479 CVE-2021-34428 CVE-2022-2047 |
Ah... right, I stand corrected, jasper-jsp is a project separately versioned from Jetty itself at https://github.com/jetty-project/jasper-jsp (whereas Jetty is at https://github.com/jetty/jetty.project ) |
Maven Coordinates <dependency>
<groupId>org.mortbay.jasper</groupId>
<artifactId>apache-el</artifactId>
<version>9.0.90</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #7047
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache-el@.*$</packageUrl>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11481471404 |
approved |
Suppress rule has been added to the |
Package URl
pkg:maven/org.mortbay.jasper/[email protected]
CPE
cpe:2.3:a:eclipse:jetty:9.0.90:::::::, cpe:2.3:a:jetty:jetty:9.0.90:::::::, cpe:2.3:a:mortbay:jetty:9.0.90:::::::, cpe:2.3:a:mortbay_jetty:jetty:9.0.90:::::::
CVE
CVE-2017-7657 CVE-2017-7658 CVE-2017-7656 CVE-2017-9735 CVE-2021-28165 CVE-2022-2048 CVE-2023-44487 CVE-2020-27216 CVE-2018-12536 CVE-2021-28169 CVE-2023-26048 CVE-2023-26049 CVE-2023-40167 CVE-2023-36479 CVE-2021-34428 CVE-2022-2047
ODC Integration
None
ODC Version
10.0.4
Description
There are many CVE identified for org.mortbay.jasper.apache-el-9.0.90.jar .
CVE-2017-7657 CVE-2017-7658 CVE-2017-7656 CVE-2017-9735 CVE-2021-28165 CVE-2022-2048 CVE-2023-44487 CVE-2020-27216 CVE-2018-12536 CVE-2021-28169 CVE-2023-26048 CVE-2023-26049 CVE-2023-40167 CVE-2023-36479 CVE-2021-34428 CVE-2022-2047
On the official Maven, there none of the above CVEs mentioned for this OSS jar. Please reivew
The text was updated successfully, but these errors were encountered: