Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FP]: commons-digester and commons-validator apache james #4162

Closed
patrickneihengen opened this issue Mar 4, 2022 · 6 comments
Closed

[FP]: commons-digester and commons-validator apache james #4162

patrickneihengen opened this issue Mar 4, 2022 · 6 comments
Labels
FP Report maven changes to the maven plugin pending release
Milestone
7.0.1

Comments

@patrickneihengen
Copy link

Package URl

pkg:maven/commons-digester/commons-digester@2.1

CPE

cpe:2.3:a:apache:james:2.1:::::::*

CVE

CVE-2021-40110(7.5), CVE-2021-40525(9.1)

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

7.0.0

Description

Received two false positives on
commons-digester-2.1.jar (pkg:maven/commons-digester/commons-digester@2.1, cpe:2.3:a:apache:james:2.1:::::::) : CVE-2021-38542, CVE-2021-40110, CVE-2021-40111, CVE-2021-40525
commons-validator-1.7.jar (pkg:maven/commons-validator/commons-validator@1.7, cpe:2.3:a:apache:james:1.7:::::::) : CVE-2021-38542, CVE-2021-40110, CVE-2021-40111, CVE-2021-40525

[ERROR] commons-digester-2.1.jar: CVE-2021-40110(7.5), CVE-2021-40525(9.1)
[ERROR] commons-validator-1.7.jar: CVE-2021-40110(7.5), CVE-2021-40525(9.1)

These are not tied to apache james.
@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2022

Maven Coordinates

<dependency>
   <groupId>commons-digester</groupId>
   <artifactId>commons-digester</artifactId>
   <version>2.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4162
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/commons-digester/commons-digester@.*$</packageUrl>
   <cpe>cpe:/a:apache:james</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/1934166423

@github-actions github-actions bot added the maven changes to the maven plugin label Mar 4, 2022
@aikebah aikebah added this to the 7.0.1 milestone Mar 4, 2022
@aikebah
Copy link
Collaborator

aikebah commented Mar 4, 2022

Fixed in current snapshot by #4148

@vemv vemv mentioned this issue Mar 5, 2022
Merged
albuch added a commit to albuch/sbt-dependency-check that referenced this issue Mar 5, 2022
@albuch
🐛 Add suppression for false positives for commons-digester (see jerem…
571f278 
…ylong/DependencyCheck#4162). Can be removed once DC v7.0.1 is available and upgraded to.
albuch added a commit to albuch/sbt-dependency-check that referenced this issue Mar 5, 2022
@albuch
🐛 Add suppression for false positives for commons-digester (see jerem…
a0ae58f 
…ylong/DependencyCheck#4162). Can be removed once DC v7.0.1 is available and upgraded to.
@costimuraru
Copy link

Has this fix been released?
We are facing this error when migrating to DependencyCheck 7.0.0, which complains about commons-validator

@aikebah
Copy link
Collaborator

aikebah commented Mar 16, 2022

As can be seen in the right-hand bar this issue is scheduled for the 7.0.1 milestone. It is currently only resolved in the latest snapshot builds

@vemv
Copy link

vemv commented Mar 16, 2022

Where can snapshot builds be found?

@aikebah
Copy link
Collaborator

aikebah commented Mar 16, 2022

In my view you typically don't want to use snapshot builds except for experimentation. until a new release is out you can use the suppression added by #4148 in your own suppression file with v7.0.0

if you insist on using the snapshot (be aware that you may get frequent updates and they might be unstable) you can find them in the oss dot sonatype dot org snapshots repository or you can build one yourself from the sources in this repository

This was referenced Mar 22, 2022
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FP Report maven changes to the maven plugin pending release
Projects
None yet
Milestone
7.0.1
Development

No branches or pull requests
5 participants
@jeremylong @costimuraru @vemv @aikebah @patrickneihengen