DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

[FP]: commons-collections:commons-collections:3.2.2

Open abhimankhutia opened this issue 3 years ago • 4 comments

Package URl

pkg:maven/commons-collections/[email protected]

CPE

cpe:2.3:a:apache:commons_collections:3.2:::::::*

CVE

CVE-2017-15708

ODC Integration

No response

ODC Version

6.5.3

Description

CVE-2017-15708 is wrongly reported for commons-collections:commons-collections:3.2.2, it should have been reported for Apache Synapse s/w component.

abhimankhutia avatar Apr 08 '22 09:04 abhimankhutia

Maven Coordinates

<dependency>
   <groupId>commons-collections</groupId>
   <artifactId>commons-collections</artifactId>
   <version>3.2</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4326
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/commons-collections/commons-collections@.*$</packageUrl>
   <cpe>cpe:/a:apache:commons_collections</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2114251647

github-actions[bot] avatar Apr 08 '22 09:04 github-actions[bot]

Created an issue upstream at OSSINDEX: https://github.com/OSSIndex/vulns/issues/270

aikebah avatar Apr 09 '22 19:04 aikebah

@abhimankhutia can you try ODC 7.0.4 if this issue is solved there?

Janpopan avatar Apr 10 '22 10:04 Janpopan

@Janpopan the FP workflow already ran an analysis with ODC 7.0.4 that surfaces this FP due to OSSINDEX returning the CVE for commons-collections, which is why I opened the ticket at OSSINDEX because it's better to fix the source rather than having ODC suppress it.

aikebah avatar Apr 10 '22 11:04 aikebah

Appears to have been resolved in ossindex in the meantime

aikebah avatar Aug 17 '22 13:08 aikebah