DependencyCheck
DependencyCheck copied to clipboard
jeremylong
[FP]: CVE-2022-34305 reported for tomcat-embed-core and tomcat-embed-websocket
Package URl
pkg:maven/org.apache.tomcat.embed/[email protected]
CPE
cpe:2.3:a:apache:tomcat:9.0.63:*:*:*:*:*:*:*
CVE
CVE-2022-34305
ODC Integration
{"label"=>"Gradle Plugin"}
ODC Version
7.1.1
Description
Check output showing all pkg and cpe information:
tomcat-embed-core-9.0.63.jar (pkg:maven/org.apache.tomcat.embed/[email protected], cpe:2.3:a:apache:tomcat:9.0.63:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.63:*:*:*:*:*:*:*) : CVE-2022-34305
tomcat-embed-websocket-9.0.63.jar (pkg:maven/org.apache.tomcat.embed/[email protected], cpe:2.3:a:apache:tomcat:9.0.63:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.63:*:*:*:*:*:*:*) : CVE-2022-34305
Looks like the fix with Tomcat 9.0.65 is not released yet. However the above dependencies are unaffected by this CVE, based on this discussion.
Maven Coordinates
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-core</artifactId>
<version>9.0.63</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #4634
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat-embed-core@.*$</packageUrl>
<cpe>cpe:/a:apache:tomcat</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2588462271
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Suppression rule:
<suppress base="true"> <notes><![CDATA[ FP per issue #4634 ]]></notes> <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat-embed-core@.*$</packageUrl> <cpe>cpe:/a:apache:tomcat</cpe> </suppress>
This does not suppress the report on tomcat-embed-websocket-9.0.63.jar. Any suggestion on how to include that?
By the way, this affects 9.0.64 as well.
Suppression rule:
<suppress base="true"> <notes><![CDATA[ FP per issue #4634 ]]></notes> <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat-embed-core@.*$</packageUrl> <cpe>cpe:/a:apache:tomcat</cpe> </suppress>This does not suppress the report on
tomcat-embed-websocket-9.0.63.jar. Any suggestion on how to include that?By the way, this affects
9.0.64as well.
I went with these excludes (using cve rarther than cpe, which looked dangerous) :
<suppress base="true">
<notes><![CDATA[
FP per issue #4634
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat-embed-core@.*$</packageUrl>
<cve>CVE-2022-34305</cve>
</suppress>
<suppress base="true">
<notes><![CDATA[
FP per issue #4634
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat-embed-websocket@.*$</packageUrl>
<cve>CVE-2022-34305</cve>
</suppress>
```
I went with these excludes (using cve rarther than cpe, which looked dangerous) :
Had the same idea and tried to write a common expression for both:
<suppress until="2022-08-01Z" base="true">
<notes><![CDATA[ FP per issue #4634 ]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat-embed-*@.*$</packageUrl>
<cve>CVE-2022-34305</cve>
</suppress>
Unfortunately this does not work 😕
I guess that is because your expression is invalid.
Yep, it was missing a . before the *.
This works:
<suppress until="2022-08-01Z" base="true">
<notes><![CDATA[ FP per issue #4634 ]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat-embed-.*@.*$</packageUrl>
<cve>CVE-2022-34305</cve>
</suppress>
I also added an expiration: I want to check this in a month if a proper solution has been released.
Closing now as a won't fix as non-affected tomcat versions have been released and we don't want to micro-manage frameworks that are released as a whole. (The CVE was for JSPs packaged by tomcat in their binary distribution, so for these jars it is an FP, but as a rule-of-thumb we do not micromanage components of a larger whole as that would take too much time for a developer community as small as hours)
