-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: CVE-2016-10543, which applies to the call module of the hapijs/hapi.js framework, gets falgged on ktor dependencies with call
in the name
#6694
Comments
Maven Coordinates <dependency>
<groupId>io.ktor</groupId>
<artifactId>ktor-server-call-logging-jvm</artifactId>
<version>2.3.11</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6694
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.ktor/ktor-server-call-logging-jvm@.*$</packageUrl>
<cpe>cpe:/a:call_project:call</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9268548184 |
This is one of multiple FPs of Node.js vulnerabilities that suddenly got flagged on Java/JVM dependencies while I was upgrading Kotlin from 1.9.x to 2.0, apparently because the CPE had an asterisk in the third position, which should have contained the string
|
approved |
Suppress rule has been added to the |
Package URl
pkg:maven/io.ktor/ktor-server-call-logging-jvm@2.3.11
CPE
cpe:2.3:a:call_project:call:2.3.11:::::::*
CVE
CVE-2016-10543
ODC Integration
{"label"=>"Gradle Plugin"}
ODC Version
9.2.0
Description
Vulnerability CVE-2016-10543, which applies to the call module of
hapi.js
(a Node.js library) gets flagged on Ktor dependencies that havecall
in the name:Strangely enough, this suddenly got flagged (along with a bunch of other vulnerabilities) while I tried to upgrade a project from Kotlin 1.9.x to Kotlin 2.0. But the dependencies that suddenly got flagged with that upgrade weren't related to the Kotlin 2.0 upgrade.
Also worth noting: according to NIST, the CPE should in fact be
cpe:2.3:a:call_project:call:*:*:*:*:*:node.js:*:*
, but the CPE that the DendencyCheck Gradle plugin flags has a wildcard in place of thenode.js
part. Perhaps that's what's causing this false positive?The text was updated successfully, but these errors were encountered: