[FP]: CVE-2023-24621 on yamlbeans-1.17.jar

[cardamon]

Package URl

pkg:maven/com.esotericsoftware.yamlbeans/yamlbeans@1.17

CPE

cpe:2.3:a:esotericsoftware:yamlbeans:1.17:::::::*

CVE

CVE-2023-24621

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

9.0.9

Description

1.17 was the release that addressed that CVE, see EsotericSoftware/yamlbeans#164 (comment)

[github-actions]

Maven Coordinates

<dependency>
   <groupId>com.esotericsoftware.yamlbeans</groupId>
   <artifactId>yamlbeans</artifactId>
   <version>1.17</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6494
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.esotericsoftware\.yamlbeans/yamlbeans@.*$</packageUrl>
   <cpe>cpe:/a:esotericsoftware:yamlbeans</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/8082965431

[cardamon]

That suppression rule might not work; this one did:

    <suppress>
        <packageUrl regex="true">^pkg:maven/com\.esotericsoftware\.yamlbeans/yamlbeans@.*$</packageUrl>
        <cve>CVE-2023-24621</cve>
    </suppress>

[aikebah]

Something to take up with the folks at Sonatype (who maintain the vulnerability data of the OSSINDEX which shows this exact version of the library to still be vulnerable).
Note that OSSINDEX might also disagree with library owners on whether or not something is fixed with an update.

[aikebah]

You can find that it's listed within OSSINDEX when you follow the link from the package-url in the html report and log in with a (free to create) OSSINDEX account.
https://ossindex.sonatype.org/component/pkg:maven/com.esotericsoftware.yamlbeans/yamlbeans@1.17?utm_source=dependency-check&utm_medium=integration&utm_content=9.0.9