-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: CVE-2017-20189 #6438
Comments
Error parsing package url: many. Error: Error: purl is missing the required "pkg" scheme component. Please correct the package URL - consider copying the package url from the HTML report. |
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/7757666679 |
Error parsing package url: many. Error: Error: purl is missing the required "pkg" scheme component. Please correct the package URL - consider copying the package url from the HTML report. |
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/7757821791 |
Error parsing package url: many. Error: Error: purl is missing the required "pkg" scheme component. Please correct the package URL - consider copying the package url from the HTML report. |
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/7760349297 |
@favila could you update the |
Maven Coordinates <dependency>
<groupId>com.clojure-goes-fast</groupId>
<artifactId>jvm-alloc-rate-meter</artifactId>
<version>0.1.4</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6438
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.clojure-goes-fast/jvm-alloc-rate-meter@.*$</packageUrl>
<cpe>cpe:/a:clojure:clojure</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7895310657 |
I was concerned that this would create an overly narrow suppression rule like above. Note to maintainers: please do not regard the list of affected packages above as exhaustive. Potentially hundreds of packages that are merely written in Clojure are affected by this false positive. |
@jeremylong how can I help move this forward? |
Suppressions should now be active |
Package URl
pkg:maven/com.clojure-goes-fast/jvm-alloc-rate-meter@0.1.4
CPE
cpe:2.3:a:clojure:clojure:*:*:*:*:*:*:*:*
CVE
CVE-2017-20189
ODC Integration
None
ODC Version
9.0.9
Description
CVE-2017-20189 is a vulnerability in Clojure < 1.9. (Although 2017, the CVE was recently issued.) The maven package url for these dependencies is specifically
pkg:maven/org.clojure/clojure@*
. However this seems to be fuzzy-matching many other org.clojure projects and even projects that are merely written in Clojure.So far I have seen the following packageUrls match:
This is just what I found in a largish clojure application, so this is likely not a complete list.
I used the following suppression:
This seems to be enough for it to correctly narrow down to only
org.clojure/clojure
and then start looking at the version. It detects clojure 1.8 jars and ignores clojure 1.9 and above.Another possibility might be this:
However I don't know for sure whether
cpe:/a:clojure:clojure
is meant to include any other clojure-adjacent products besides the core clojure artifact itself.The text was updated successfully, but these errors were encountered: