False positive on commons-collections4-4.1.jar

[rmoetwil]

We upgraded from v1.3.6 to v1.4.3 and got a vulnerability finding (High) on commons-collections4-4.1.jar
According to https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6420 this version should be ok.

Can it be related to version parsing errors reported earlier and maybe also fixed since the release of 1.4.3?

https://mvnrepository.com/artifact/org.apache.commons/commons-collections4
CVE-2015-6420

<dependency>
    <groupId>org.apache.commons</groupId>
    <artifactId>commons-collections4</artifactId>
    <version>4.1</version>
</dependency>

[jeremylong]

Unfortunately, this false positive is cropping up due to the temporary fix for issue #534. I'll try to resolve the version number matching algorithm next. For now, you should be able to generate a suppression rule for this.

[v6ak]

I've found this behavior, too. There seems to be some incorrect version detected in the CPE identifier. See https://gist.github.com/v6ak/68dbc738b5789eead689fda02570add4 . There are two reproduction cases and two cases where the version is resolved correctly. Maybe ODC tries to use version in CPE dictionary, so this is used over the actual version.

[jeremylong]

I added a version evidence filter to dependency-check that removes the reported false positive and others. The new filter will be included in the next release.

Thanks for reporting this!

--Jeremy

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.