DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

[FP]: jruby-readline confused for jruby itself

Open chadlwilson opened this issue 1 year ago • 1 comments

Package URl

pkg:maven/rubygems/[email protected]

CPE

cpe:/a:jruby:jruby

CVE

No response

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

7.1.1

Description

https://github.com/jruby/jruby-readline is an independently versioned project (also see https://mvnrepository.com/artifact/rubygems/jruby-readline/1.3.7)

chadlwilson avatar Jul 06 '22 15:07 chadlwilson

Bot cannot find the dependency as it's not a regular "jar" artifact in Maven Central. It's a JRuby java gem that relies on a special Gradle plugin/repository to resolve (and a dependency that is sometimes shaded into JRuby itself): See https://github.com/jruby/jruby-readline and https://mvnrepository.com/artifact/rubygems/jruby-readline/1.3.7

chadlwilson avatar Jul 06 '22 15:07 chadlwilson

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/3172102215

github-actions[bot] avatar Oct 03 '22 06:10 github-actions[bot]

Suggested suppression rule

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4648
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/rubygems/jruby\-readline@.*$</packageUrl>
    <cpe>cpe:/a:jruby:jruby</cpe>
</suppress>

chadlwilson avatar Oct 08 '22 09:10 chadlwilson