Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FP]: CVE-2016-10543, which applies to the call module of the hapijs/hapi.js framework, gets falgged on ktor dependencies with call in the name #6694

Closed
volkert-fastned opened this issue May 28, 2024 · 4 comments
Closed

[FP]: CVE-2016-10543, which applies to the call module of the hapijs/hapi.js framework, gets falgged on ktor dependencies with call in the name #6694

volkert-fastned opened this issue May 28, 2024 · 4 comments
Labels
FP Report maven changes to the maven plugin

Comments

@volkert-fastned
Copy link
Contributor

Package URl

pkg:maven/io.ktor/ktor-server-call-logging-jvm@2.3.11

CPE

cpe:2.3:a:call_project:call:2.3.11:::::::*

CVE

CVE-2016-10543

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

9.2.0

Description

Vulnerability CVE-2016-10543, which applies to the call module of hapi.js (a Node.js library) gets flagged on Ktor dependencies that have call in the name:

ktor-server-call-logging-jvm-2.3.11-sources.jar (pkg:maven/io.ktor/ktor-server-call-logging-jvm@2.3.11, cpe:2.3:a:call_project:call:2.3.11:*:*:*:*:*:*:*) : CVE-2016-10543

Strangely enough, this suddenly got flagged (along with a bunch of other vulnerabilities) while I tried to upgrade a project from Kotlin 1.9.x to Kotlin 2.0. But the dependencies that suddenly got flagged with that upgrade weren't related to the Kotlin 2.0 upgrade.

Also worth noting: according to NIST, the CPE should in fact be cpe:2.3:a:call_project:call:*:*:*:*:*:node.js:*:*, but the CPE that the DendencyCheck Gradle plugin flags has a wildcard in place of the node.js part. Perhaps that's what's causing this false positive?
@github-actions GitHub Actions
Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>io.ktor</groupId>
   <artifactId>ktor-server-call-logging-jvm</artifactId>
   <version>2.3.11</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6694
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.ktor/ktor-server-call-logging-jvm@.*$</packageUrl>
   <cpe>cpe:/a:call_project:call</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9268548184

@github-actions github-actions bot added the maven changes to the maven plugin label May 28, 2024
This was referenced May 28, 2024
Closed
Closed
@volkert-fastned
Copy link
Contributor Author

This is one of multiple FPs of Node.js vulnerabilities that suddenly got flagged on Java/JVM dependencies while I was upgrading Kotlin from 1.9.x to 2.0, apparently because the CPE had an asterisk in the third position, which should have contained the string node.js, according to NIST:

This was referenced May 28, 2024
Closed
Closed
@jeremylong
Copy link
Owner

approved

@github-actions GitHub Actions
Copy link
Contributor

Suppress rule has been added to the generatedSuppressions branch.

github-actions bot added a commit that referenced this issue May 28, 2024
@github-actions
fix(fp): FP per issue #6694
4af948b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FP Report maven changes to the maven plugin
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeremylong @volkert-fastned