Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FP]: org.eclipse.jetty.toolchain/jetty-servlet-api@4.0.6 is misidentified as jetty 4.0.6 component (but is not) (wrong CPE) #6666

Closed
aschank opened this issue May 14, 2024 · 4 comments
Closed

[FP]: org.eclipse.jetty.toolchain/jetty-servlet-api@4.0.6 is misidentified as jetty 4.0.6 component (but is not) (wrong CPE) #6666

aschank opened this issue May 14, 2024 · 4 comments
Labels
FP Report maven changes to the maven plugin

Comments

@aschank
Copy link

aschank commented May 14, 2024

Package URl

pkg:maven/org.eclipse.jetty.toolchain/jetty-servlet-api@4.0.6

CPE

cpe:2.3:a:jetty:jetty:4.0.6:*:*:*:*:*:*:*

CVE

CVE-2017-7657

ODC Integration

{"label"=>"Ant Task"}

ODC Version

9.1.0

Description

Hi,

there is a mis-identification of the CPE for the jetty tools package jetty-servlet-api (version 4.0.6).

The Package org.eclipse.jetty.toolchain/jetty-servlet-api@4.0.6 is mis-identified as a jetty 4.0.6 package (cpe:2.3:a:jetty:jetty:4.0.6:*:*:*:*:*:*:* and cpe:2.3:a:eclipse:jetty:4.0.6:*:*:*:*:*:*:*), although it actually came with Jetty 12 and the version of the jar is independent of Jetty version but depends on the Servlet API version.

So the problem is the incorrect CPE that is identified for the component, since the CVEs all adress earlier jetty versions.

Here's the sonatype ossindex page for the compontent:

https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty.toolchain/jetty-servlet-api@4.0.6

We would appreciate it if the CPE (actually I don't know the correct CPE for this jar) could be fixced.

Thanks in advance :-)
Andreas
@github-actions GitHub Actions
Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>org.eclipse.jetty.toolchain</groupId>
   <artifactId>jetty-servlet-api</artifactId>
   <version>4.0.6</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6666
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty-servlet-api@.*$</packageUrl>
   <cpe>cpe:/a:jetty:jetty</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9075500628

@github-actions github-actions bot added the maven changes to the maven plugin label May 14, 2024
@aschank aschank changed the title [FP]: org.eclipse.jetty.toolchain/jetty-servlet-api@4.0.6 is misidentified as jetty 4.0.6 component (but is not) [FP]: org.eclipse.jetty.toolchain/jetty-servlet-api@4.0.6 is misidentified as jetty 4.0.6 component (but is not) (wrong CPE) May 14, 2024
@github-actions GitHub Actions
Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>org.eclipse.jetty.toolchain</groupId>
   <artifactId>jetty-servlet-api</artifactId>
   <version>4.0.6</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6666
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty-servlet-api@.*$</packageUrl>
   <cpe>cpe:/a:jetty:jetty</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9080168763

@aikebah
Copy link
Collaborator

aikebah commented May 15, 2024

approved

@github-actions GitHub Actions
Copy link
Contributor

Suppress rule has been added to the generatedSuppressions branch.

github-actions bot added a commit that referenced this issue May 15, 2024
@github-actions
fix(fp): FP per issue #6666
358a43d
@lread lread mentioned this issue Jul 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FP Report maven changes to the maven plugin
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aikebah @aschank