ThreatMapper icon indicating copy to clipboard operation
ThreatMapper copied to clipboard
verified publisher icon deepfence

log4j-core vulnerabilities being detected is a false positive.

Open ak12021996 opened this issue 3 years ago • 1 comments

We found this log4j vulnerabilities in 'deepfenceio/deepfence_elastic_ce' if log4j issue is already resolved in 1.3.0 release, why deepfence console is still flagging it. As per slack conversation log4j-core vulnerabilities being detected is a false positive. Since the elasticsearch didn't send the patch for the elasticsearch-oss-no-jdk. So team already removed the vulnerable class(JndiLookup.class) from the jar, so the final image does not have log4j related vulnerabilities but still deepfence console is flagging it. Team is working on getting false-positive fixed. Raising this issue to keep track on progress. 8819f831-d355-45ad-9622-01df260bb6c4 (1)

ak12021996 avatar May 27 '22 07:05 ak12021996

@sidd0529 would verify if we still getting the false positives?

ibreakthecloud avatar Sep 13 '22 04:09 ibreakthecloud

this issue has been fixed, @ak12021996 can you pls check it. Closing this issue reopen if needed

ibreakthecloud avatar Sep 29 '22 11:09 ibreakthecloud