Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FP]: False positive for [email protected] against CVE-2024-43591 #7124

Closed
MidasJAF opened this issue Oct 31, 2024 · 3 comments
Closed

[FP]: False positive for [email protected] against CVE-2024-43591 #7124

MidasJAF opened this issue Oct 31, 2024 · 3 comments
Labels
FP Report maven changes to the maven plugin

Comments

@MidasJAF
Copy link

Package URl

pkg:maven/com.azure/[email protected]

CPE

cpe:2.3:a:microsoft:azure_cli:2.9.9:*:*:*:*:*:*:*

CVE

CVE-2024-43591

ODC Integration

{"label"=>"CLI"}

ODC Version

10.0.2

Description

Releated to #7066 and #7110.
Obviously it doesn't look like a java library for amqp is related to the azure cli, but I suppose it isn't impossible.
It seems it's just the pattern that confuses anything azure related. Are the patterns themselves enough to conclude this is a false positive?
@github-actions GitHub Actions
Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>com.azure</groupId>
   <artifactId>azure-core-amqp</artifactId>
   <version>2.9.9</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7124
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.azure/azure-core-amqp@.*$</packageUrl>
   <cpe>cpe:/a:microsoft:azure_cli</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11611990932

@github-actions github-actions bot added the maven changes to the maven plugin label Oct 31, 2024
@aikebah
Copy link
Collaborator

aikebah commented Oct 31, 2024

approved

FYI the way to tell whether or not it would be a false-positive that we might consider is by checking what project releases your library. In your case the pom points towards https://github.com/Azure/azure-sdk-for-java the azure-sdk for java, which is something different than the azure-cli project (which is at https://github.com/Azure/azure-cli)

If a certain library itself is not vulnerable, but belongs to a project from which another library is found vulnerable we would typically not accept it for false-positive suppressions within the project. The NVD registers the CPE that links vulnerabilities at the level of such products as a whole and we simply don't have time to spent on triaging whether or not a certain library is affected by a given CVE. As long as the link between a library and it's CPE are valid it would be up to users that can't upgrade to a project's patched release to triage whether or not their library would be subject to the given CVE raised towards 'one or more libraries of a given project'.

@github-actions GitHub Actions
Copy link
Contributor

Suppress rule has been added to the generatedSuppressions branch.

github-actions bot added a commit that referenced this issue Oct 31, 2024
@github-actions
fix(fp): FP per issue #7124
87ac89a
This was referenced Dec 4, 2024
Closed
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 4, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FP Report maven changes to the maven plugin
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aikebah @MidasJAF