-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positive on commons-collections4-4.1.jar #575
Comments
Unfortunately, this false positive is cropping up due to the temporary fix for issue #534. I'll try to resolve the version number matching algorithm next. For now, you should be able to generate a suppression rule for this. |
I've found this behavior, too. There seems to be some incorrect version detected in the CPE identifier. See https://gist.github.com/v6ak/68dbc738b5789eead689fda02570add4 . There are two reproduction cases and two cases where the version is resolved correctly. Maybe ODC tries to use version in CPE dictionary, so this is used over the actual version. |
I added a version evidence filter to dependency-check that removes the reported false positive and others. The new filter will be included in the next release. Thanks for reporting this! --Jeremy |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
We upgraded from v1.3.6 to v1.4.3 and got a vulnerability finding (High) on commons-collections4-4.1.jar
According to https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6420 this version should be ok.
Can it be related to version parsing errors reported earlier and maybe also fixed since the release of 1.4.3?
https://mvnrepository.com/artifact/org.apache.commons/commons-collections4
CVE-2015-6420
The text was updated successfully, but these errors were encountered: