[FP]: org.eclipse.microprofile.config.microprofile-config-api for CVE-2022-45129 #6885
Labels
Comments
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10299839100 |
|
Maven Coordinates <dependency>
<groupId>org.eclipse.microprofile.config</groupId>
<artifactId>microprofile-config-api</artifactId>
<version>3.0.3</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6885
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.config/microprofile-config-api@.*$</packageUrl>
<cpe>cpe:/a:payara:payara</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10300443838 |
|
With the library as obtained from Maven Central the FP is no longer happening, so likely your library has a hash-mismatch with the build in maven central so it can only do fuzzy text-matching in the CLI to try and establish information on what the artifact is. |
|
I have crosschecked the MD5 value between maven certral repository and our own repository and it looks same. |
|
Do you run the CLI with CentralAnalyzer disabled? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Package URl
pkg:maven/org.eclipse.microprofile.config/[email protected]
CPE
cpe:2.3:a:payara:payara:3.0.3:::::::*
CVE
CVE-2022-45129
ODC Integration
None
ODC Version
10.0.3
Description
Actual vulnerable component is payara-api before 5.2022.3 but no where it is related to the reported 3PP org.eclipse.microprofile.config.microprofile-config-api-3.0.3.jar
Note : Package URL was missing in the OWASP scan result, since it is mandatory to provide a package URL to create a issue in GitHub so we provided it manualy.
The text was updated successfully, but these errors were encountered: