Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DependencyCheck report many CVEs after upgrade from Java8 to Java17 and rename one of the jar file. #6956

Open
HQPhamOrcl opened this issue Sep 9, 2024 · 4 comments
Open

DependencyCheck report many CVEs after upgrade from Java8 to Java17 and rename one of the jar file. #6956

HQPhamOrcl opened this issue Sep 9, 2024 · 4 comments
Labels
pending more information question

Comments

@HQPhamOrcl
Copy link

HQPhamOrcl commented Sep 9, 2024
edited
Loading

We have recently observed an issue where DependencyCheck reported many CVEs after upgraded from Java8 to Java17 and renamed a JAR file to "utaruntime-2.0.0-bld13.0.80.jar".

The following test was done to isolate the issue:

With Java8:
- Original filename - no issue was reported
- Renamed jar file - no issue was reported

With Java17:
- Original filename - no issue was reported
- Renamed jar file - issue was reported

The issue is only observed with Java17 and JAR file renamed.

Please help us to understand what could cause the issue.

Thank you very much in advance for your assistance.
@OrangeDog
Copy link
Contributor

OrangeDog commented Sep 9, 2024
edited
Loading

You need to provide actual details of the report. See the "False Positive Report" issue template.

@RahulVarmaOrcl
Copy link

Package URl
pkg:

CPE
cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:::::::*

CVE
CVE-2018-8088
CVE-2019-10173
CVE-2019-17495
CVE-2020-10683
CVE-2020-14756
CVE-2020-2555
CVE-2021-39139
CVE-2021-39141
CVE-2021-39144
CVE-2021-39145
CVE-2021-39146
CVE-2021-39147
CVE-2021-39148
CVE-2021-39149
CVE-2021-39150
CVE-2021-39151
CVE-2021-39152
CVE-2021-39153
CVE-2021-39154
CVE-2021-2351
CVE-2020-28052
CVE-2018-1000632
CVE-2020-11979
CVE-2020-25649
CVE-2020-36518
CVE-2021-31684
CVE-2019-10086
CVE-2020-1945
CVE-2021-39140
CVE-2019-10219
CVE-2021-27568
CVE-2021-45105
CVE-2021-36373
CVE-2020-14895
CVE-2020-9488

Description
I see above vulnerabilties in java17 version when artifcatid in pom is not same as jar name. Above CVE are reported on java 17 version of jar. No issue is found in java 8 version of same jar

@jeremylong
Copy link
Owner

Have you considered filling out a false positive report using the provided template?

https://github.com/jeremylong/DependencyCheck/issues/new?assignees=&labels=FP+Report&projects=&template=false-positive-report.yml&title=%5BFP%5D%3A+

Just fill in one of the CVEs and indicate that there are mulitple.

@RahulVarmaOrcl
Copy link

RahulVarmaOrcl commented Oct 4, 2024
edited
Loading

Submitted the details it created a new report below. #7008

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pending more information question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@OrangeDog @jeremylong @aikebah @HQPhamOrcl @RahulVarmaOrcl