DependencyCheck
DependencyCheck copied to clipboard
jeremylong
[FP]: Shaded JRuby dirgra being confused for JRuby itself
Package URl
pkg:maven/org.jruby/[email protected]
CPE
cpe:/a:jruby:jruby
CVE
No response
ODC Integration
{"label"=>"Gradle Plugin"}
ODC Version
7.1.1
Description
<suppress>
<notes><![CDATA[
Suppressing false positive caused by OWASP Dependency Check thinking the shaded/packaged dirgra library is the same
as the JRuby version. These are versioned independently and not the same thing.
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
<cpe>cpe:/a:jruby:jruby</cpe>
</suppress>
See https://github.com/jruby/dirgra
Maven Coordinates
<dependency>
<groupId>org.jruby</groupId>
<artifactId>dirgra</artifactId>
<version>0.3</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #4647
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
<cpe>cpe:/a:jruby:jruby</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2623816908
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Maven Coordinates
<dependency>
<groupId>org.jruby</groupId>
<artifactId>dirgra</artifactId>
<version>0.3</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #4647
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
<cpe>cpe:/a:jruby:jruby`</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/3172104249
Maven Coordinates
<dependency>
<groupId>org.jruby</groupId>
<artifactId>dirgra</artifactId>
<version>0.3</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #4647
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
<cpe>cpe:/a:jruby:jruby</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/3172120850
Hi @aikebah - are you able to point me to how this was resolved or the relevant suppression?
I am still getting this and needing to suppress with 7.2.1 via the Gradle plugin so will check if there is something else going on here.
https://github.com/gocd/gocd/blob/75e13170e1cd5eb9f07015bf69719bfb17147043/buildSrc/dependency-check-suppress.xml#L19-L26
dependency-check version: 7.2.1
Report Generated On: Sun, 9 Oct 2022 03:35:25 +0530
Dependencies Scanned: 320 (317 unique)
Vulnerable Dependencies: 0
Vulnerabilities Found: 0
Vulnerabilities Suppressed: 115
jruby-complete-9.3.8.0.jar (shaded: org.jruby:dirgra:0.3)
Description: Simple Directed Graph
License: EPL: http://www.eclipse.org/legal/epl-v10.html
File Path: /go/.gradle/caches/modules-2/files-2.1/org.jruby/jruby-complete/9.3.8.0/8e11191265ab501930125081d8c21a3f55f1b8cd/jruby-complete-9.3.8.0.jar/META-INF/maven/org.jruby/dirgra/pom.xml
MD5: 4d7f76247a22e56064ab9db464794cd4
SHA1: 91c78b3f134c5b1f04d3a6447d246cf0a0d9a8e2
SHA256: d0f49f7eaf14307bc8ce44b14fe999c1330e029043f6e8a125b5a9f7ed1c417a
Suppressed Identifiers
cpe:2.3:a:jruby:jruby:0.3:*:*:*:*:*:*:* suppressed (Confidence:Highest)
@chadlwilson This should be fixed by #4688 according to it's message (but was not picked up by github automation for closure on merge) as the fixes keyword was not repeated before each mentioned issue.
Looking at the linked PR it appears that this issue was wrongly linked there... reopening
Maven Coordinates
<dependency>
<groupId>org.jruby</groupId>
<artifactId>dirgra</artifactId>
<version>0.3</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #4647
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
<cpe>cpe:/a:jruby:jruby</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/3214142169
Suppress rule has been added to the generatedSuppressions branch.