false positive CVE-2016-10542 in java project if dependency jar name contains word '-ws'

[vashistha]

dependency check mvn clean org.owasp:dependency-check-maven:3.3.2:check returns medium severity vulnerability if dependency jar contains word -ws. moreover description suggests, it is relevant to node js platform.

CPE

cpe:/a:ws_project:ws:1.1.0::~~~node.js~~ and all previous versions

Description

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
MISC - https://github.com/nodejs/node/issues/7388
MISC - https://nodesecurity.io/advisories/120
Vulnerable Software & Versions:

cpe:/a:ws_project:ws:1.1.0::~~~node.js~~ and all previous versions

Reproducing the false positive vulnerability

• Create maven project with name containing -ws. example - https://github.com/softwaresecurity/word-ws-dummy-project.git
• Build the project mvn clean install
• Add this project as dependency to another project. example - https://github.com/softwaresecurity/owasp-false-positives.git
• Run dependency check mvn clean org.owasp:dependency-check-maven:3.3.2:check on later project.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.