DependencyCheck
DependencyCheck copied to clipboard
[FP]: r2dbc-postgresql
Package URl
pkg:maven/org.postgresql/[email protected]
CPE
cpe:/a:postgresql:postgresql
CVE
No response
ODC Integration
{"label"=>"Gradle Plugin"}
ODC Version
7.1.0.1
Description
r2dbc-postgresql has changed Maven coordinates - the group has changed from io.r2dbc
to org.postgresql
.
So this false positive has come up again - and needs a similar fix.
Maven Coordinates
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>r2dbc-postgresql</artifactId>
<version>0.9.1.RELEASE</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #4616
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.postgresql/r2dbc-postgresql@.*$</packageUrl>
<cpe>cpe:/a:postgresql:postgresql`</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2530147993
Like the GitHub Action 😄. Just be careful, it seems to have slipped in an extra backtick on the cpe.
Hmm, this one has been lingering around for a while :-( (the github actions issue with backticks is related to not having the full :*:*:*
CPE string. If you remove the backticks in your case it will work correctly.
Resolved by #4755