New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: CVE-2023-4759 org.eclipse.jgit@6.7.0.202309050840-r #5943
Comments
Maven Coordinates <dependency>
<groupId>org.eclipse.jgit</groupId>
<artifactId>org.eclipse.jgit</artifactId>
<version>6.7.0.202309050840-r</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #5943
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit@.*$</packageUrl>
<cpe>cpe:/a:eclipse:jgit</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6238507857 |
Maven Coordinates <dependency>
<groupId>org.eclipse.jgit</groupId>
<artifactId>org.eclipse.jgit</artifactId>
<version>6.7.0.202309050840-r</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #5943
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit@.*$</packageUrl>
<cpe>cpe:/a:eclipse:jgit</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6238518590 |
Maven Coordinates <dependency>
<groupId>org.eclipse.jgit</groupId>
<artifactId>org.eclipse.jgit</artifactId>
<version>6.7.0.202309050840-r</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #5943
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/org\.eclipse\.jgit@.*$</packageUrl>
<cpe>cpe:/a:eclipse:jgit</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6238514672 |
Thanks for raising this @barchetta - I was also looking for guidance from the OWASP Dep Check team as to whether this is essentially due to the way NVD have tagged the affected versions. There are also false negatives here, as all jGit versions prior to 6.6.1 are also affected, but the current mapping doesn't reflect that. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4759
While this is definitely a false positive it seems like it's just an NVD confusion about the date version suffixes (there will not be a
I believe then it will go away in OWASP Dep check even though it sees the maven version as |
I suppose it is still a bit strange here that In other words, if |
Hi, i assume it's the same issue for
Which is considered having the same CVE-2023-4759 Because the "suppress" proposed by the bot doesn't work for this one, i suggest this one : --EDIT--
It works for everything under jgit (like : I used Feel free to correct me on this ! |
Yeah, probably the same. I’ve been trying to get NVD to change the CPE versions but they seemed to misunderstand and update it to something even worse (and incorrect). Have tried again earlier today. |
I haven't had a reply yet from NIST NVD, sadly. In any case, for what it's worth upgrading to the recently released JGit |
Thank you for the heads up 🙏 |
Package URl
pkg:maven/org.eclipse.jgit/org.eclipse.jgit@6.7.0.202309050840-r
CPE
cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions from (including) 6.7.0; versions up to (excluding) 6.7.0.202309050840
cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions from (including) 6.6.0; versions up to (excluding) 6.6.1.202309021850
CVE
CVE-2023-4759
ODC Integration
None
ODC Version
8.4.0
Description
According to the CVE description "The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r". The CPE states
versions from (including) 6.7.0; versions up to (excluding) 6.7.0.202309050840
. So maybe the fact that the CPE states to include 6.7.0 is triggering the FP. Or maybe it's because the excluded version does not have the-r
at the end (like the version of the maven artifact does).The text was updated successfully, but these errors were encountered: