You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
there is a mis-identification of the CPE for the jetty tools package jetty-servlet-api (version 4.0.6).
The Package org.eclipse.jetty.toolchain/jetty-servlet-api@4.0.6 is mis-identified as a jetty 4.0.6 package (cpe:2.3:a:jetty:jetty:4.0.6:*:*:*:*:*:*:* and cpe:2.3:a:eclipse:jetty:4.0.6:*:*:*:*:*:*:*), although it actually came with Jetty 12 and the version of the jar is independent of Jetty version but depends on the Servlet API version.
So the problem is the incorrect CPE that is identified for the component, since the CVEs all adress earlier jetty versions.
Here's the sonatype ossindex page for the compontent:
aschank
changed the title
[FP]: org.eclipse.jetty.toolchain/jetty-servlet-api@4.0.6 is misidentified as jetty 4.0.6 component (but is not)
[FP]: org.eclipse.jetty.toolchain/jetty-servlet-api@4.0.6 is misidentified as jetty 4.0.6 component (but is not) (wrong CPE)
May 14, 2024
Package URl
pkg:maven/org.eclipse.jetty.toolchain/jetty-servlet-api@4.0.6
CPE
cpe:2.3:a:jetty:jetty:4.0.6:*:*:*:*:*:*:*
CVE
CVE-2017-7657
ODC Integration
{"label"=>"Ant Task"}
ODC Version
9.1.0
Description
Hi,
there is a mis-identification of the CPE for the jetty tools package jetty-servlet-api (version 4.0.6).
The Package
org.eclipse.jetty.toolchain/jetty-servlet-api@4.0.6
is mis-identified as a jetty 4.0.6 package (cpe:2.3:a:jetty:jetty:4.0.6:*:*:*:*:*:*:*
andcpe:2.3:a:eclipse:jetty:4.0.6:*:*:*:*:*:*:*
), although it actually came with Jetty 12 and the version of the jar is independent of Jetty version but depends on the Servlet API version.So the problem is the incorrect CPE that is identified for the component, since the CVEs all adress earlier jetty versions.
Here's the sonatype ossindex page for the compontent:
https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty.toolchain/jetty-servlet-api@4.0.6
We would appreciate it if the CPE (actually I don't know the correct CPE for this jar) could be fixced.
Thanks in advance :-)
Andreas
The text was updated successfully, but these errors were encountered: