[FP]: CVE-2023-34478 on shiro-core-2.0.0 (and 5 more including shiro-web too) probably due to alpha version #6507
Comments
|
Maven Coordinates <dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>2.0.0</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6507
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.shiro/shiro-core@.*$</packageUrl>
<cpe>cpe:/a:apache:shiro</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/8168589126 |
|
@giacgbj No need to open other FP reports. The root of the issue is indeed with the lack of support for the update component of CPE |
aikebah
added a commit
that referenced
this issue
Apr 28, 2024
…were only valid for the alpha-builds
|
Suppression should now be active |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Package URl
pkg:maven/org.apache.shiro/shiro-core@2.0.0
CPE
cpe:2.3:a:apache:shiro:2.0.0:::::::*
CVE
CVE-2023-34478
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
9.0.9
Description
The issue is only up to the 2.0.0-alpha2 version. It seems ODC can't handle that CPE.
There are two other FP on this library (CVE-2023-46749 and CVE-2023-46750) and three on shiro-web-2.0.0 (CVE-2023-34478, CVE-2023-46749 and CVE-2023-46750).
Should I open an issue for each one?
The text was updated successfully, but these errors were encountered: