Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FP]: False positive for [email protected] against CVE-2024-43591 #7066

Closed
MidasJAF opened this issue Oct 21, 2024 · 6 comments
Closed

[FP]: False positive for [email protected] against CVE-2024-43591 #7066

MidasJAF opened this issue Oct 21, 2024 · 6 comments
Labels
FP Report maven changes to the maven plugin

Comments

@MidasJAF
Copy link

Package URl

pkg:maven/com.azure/[email protected]

CPE

cpe:2.3:a:microsoft:azure_cli:1.3.0:*:*:*:*:*:*:*

CVE

CVE-2024-43591

ODC Integration

{"label"=>"CLI"}

ODC Version

10.0.2

Description

azure-json has no azure dependencies, and it doesn't seem to be calling the cli directly. Both the package and the cli are related to azure, but otherwise I don't see how they are connected.

I don't have the html report, so I'm getting the values from the xml output. There are two cpe identifiers, but there are also two vulnerabilities on [email protected]. If they are ordered, the attached cpe should be the correct one. For completeness sake the other cpe is cpe:2.3:a:microsoft:azure_sdk_for_java:1.3.0:*:*:*:*:*:*:* and the other CVE is CVE-2023-36052.

I'll make a separate report for the other False Positive, but wanted to wait until I'm certain I'm reading the report correctly.

Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>com.azure</groupId>
   <artifactId>azure-json</artifactId>
   <version>1.3.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7066
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.azure/azure-json@.*$</packageUrl>
   <cpe>cpe:/a:microsoft:azure_cli</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11439597328

@github-actions github-actions bot added the maven changes to the maven plugin label Oct 21, 2024
@MidasJAF
Copy link
Author

For context I'm getting the xml reports from the jenkins plugin.

@aikebah
Copy link
Collaborator

aikebah commented Oct 22, 2024

approved

Copy link
Contributor

Suppress rule has been added to the generatedSuppressions branch.

github-actions bot added a commit that referenced this issue Oct 22, 2024
@lemmbe
Copy link

lemmbe commented Oct 25, 2024

There is the same problem with azure-core-management right? Should I open another issue?

@MidasJAF
Copy link
Author

There is the same problem with azure-core-management right? Should I open another issue?

I think you should. I'm not a maintainer, but it seems like they have automations set up if you use the correct format. So it's a lot easier for them if you do.

You could always reference this issue in your report, then they can evaluate if a more general suppression is warranted.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FP Report maven changes to the maven plugin
Projects
None yet
Development

No branches or pull requests

3 participants