[FP]:

[Nitish1210]

Package URl

pkg:maven/io.opentelemetry.contrib/opentelemetry-prometheus-client-bridge@1.35.0-alpha

CPE

cpe:2.3:a:prometheus:prometheus:::::::: versions up to (excluding) 2.7.1

CVE

CVE-2019-3826

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

9.0.3

Description

It is a false positive as it checks every package with word "prometheus" and its version to verify the eligibility for CVE-2019-3826 which shouldn't be the case.

[github-actions]

Maven Coordinates

<dependency>
   <groupId>io.opentelemetry.contrib</groupId>
   <artifactId>opentelemetry-prometheus-client-bridge</artifactId>
   <version>1.35.0-alpha</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6595
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.opentelemetry\.contrib/opentelemetry-prometheus-client-bridge@.*$</packageUrl>
   <cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/8714185955

[jeremylong]

approved

[github-actions]

Suppress rule has been added to the generatedSuppressions branch.