-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: False positive for [email protected] against CVE-2024-43591 #7066
Comments
Maven Coordinates <dependency>
<groupId>com.azure</groupId>
<artifactId>azure-json</artifactId>
<version>1.3.0</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #7066
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure-json@.*$</packageUrl>
<cpe>cpe:/a:microsoft:azure_cli</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11439597328 |
For context I'm getting the xml reports from the jenkins plugin. |
approved |
Suppress rule has been added to the |
There is the same problem with azure-core-management right? Should I open another issue? |
I think you should. I'm not a maintainer, but it seems like they have automations set up if you use the correct format. So it's a lot easier for them if you do. You could always reference this issue in your report, then they can evaluate if a more general suppression is warranted. |
Package URl
pkg:maven/com.azure/[email protected]
CPE
cpe:2.3:a:microsoft:azure_cli:1.3.0:*:*:*:*:*:*:*
CVE
CVE-2024-43591
ODC Integration
{"label"=>"CLI"}
ODC Version
10.0.2
Description
azure-json
has no azure dependencies, and it doesn't seem to be calling the cli directly. Both the package and the cli are related to azure, but otherwise I don't see how they are connected.I don't have the html report, so I'm getting the values from the xml output. There are two cpe identifiers, but there are also two vulnerabilities on
[email protected]
. If they are ordered, the attached cpe should be the correct one. For completeness sake the other cpe iscpe:2.3:a:microsoft:azure_sdk_for_java:1.3.0:*:*:*:*:*:*:*
and the other CVE isCVE-2023-36052
.I'll make a separate report for the other False Positive, but wanted to wait until I'm certain I'm reading the report correctly.
The text was updated successfully, but these errors were encountered: