DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

False Negative on bc-fips-1.0.2.jar and PyYAML:5.1.2

Open Anshu2405 opened this issue 3 years ago • 1 comments

CVE-2020-15522 might be false negative on library for org.bouncycastle:bc-fips:1.0.2. CVE-2019-20477 ,CVE-2020-14343 and CVE-2020-1747 might be false negative on library for PyYAML:5.1.2 .

These CVEs are not reported by Dependency-check tool but reported by other open-source tools like Trivy.

Is this CVE actually belongs to org.bouncycastle:bc-fips:1.0.2 as per information on few sites? If yes, then it is false negative issue.

<dependency>
   <groupId>org.bouncycastle</groupId>
    <artifactId>bc-fips</artifactId>
    <version>1.0.2</version>
</dependency>

PyYAML:5.1.2

Anshu2405 avatar Nov 17 '21 13:11 Anshu2405

bc-fips vulnerability is properly detected (Maven plugin 7.1.0). Not sure how to properly validate the PyYAML CVEs, maybe you can retest?

aikebah avatar Jun 08 '22 16:06 aikebah