-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: False positive for apache-el-11.0.0.jar against multiple jetty 11 CVE's #7145
Comments
Maven Coordinates <dependency>
<groupId>org.mortbay.jasper</groupId>
<artifactId>apache-el</artifactId>
<version>11.0.0</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #7145
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.mortbay\.jasper/apache-el@.*$</packageUrl>
<cpe>cpe:/a:eclipse:jetty</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11739964544 |
approved |
Suppress already exists in |
Hi @aikebah, I see this has now been approved. Does this mean the suppression is live, or do I need to wait for a new dependency check release? |
Hi @aikebah. |
@vbode the bot indicated
gut feel: you picked the wrong CPE and one or more of the other jetty-CPEs are what causes this FP to surface |
@aikebah Ah I see that my suppression is now suppressing a different CVE. I think however this is also still a false positive from apache-el. |
@vbode That's a suppression from your own suppression file. |
@aikebah Regarding the report you shared, I think your report is empty because no vulnerabilities were suppressed at all, because there were no vulnerabilities to suppress. |
Report is empty, because the suppressions that are performed by the FP mitigations from the hosted suppressions file (base suppressions) are not added to the list. |
I've had a look again. I see now that we had this error: After adding the --hostedSuppressionsForceUpdate flag, this error no longer shows up, and our suppression no longer needs to suppress the apache-el false positive. We were already using the --noupdate flag, because we use a hosted SQL database. Thanks for the help @aikebah ! |
Package URl
pkg:maven/org.mortbay.jasper/[email protected]
CPE
cpe:2.3:a:eclipse:jetty:11.0.0:-:*:*:*:*:*:*
CVE
CVE-2021-28165
ODC Integration
{"label"=>"Docker"}
ODC Version
11.0.0
Description
It seems like Jetty 11 is being detected as a CPE for apache-el, causing many jetty 11 CVEs to be detected.
See the attached screenshot.
The text was updated successfully, but these errors were encountered: