DependencyCheck
DependencyCheck copied to clipboard
[FP]: jruby-openssl confused for jruby itself
Package URl
pkg:maven/rubygems/[email protected]
CPE
cpe:/a:jruby:jruby
CVE
No response
ODC Integration
{"label"=>"Gradle Plugin"}
ODC Version
7.1.1
Description
jruby-openssl is an independently versioned add-on - not JRuby itself. https://github.com/jruby/jruby-openssl
Bot cannot find the dependency as it's not in Maven Central. It's a JRuby java gem that relies on a special Gradle plugin/repository to resolve (and a dependency that is sometimes shaded into JRuby itself): https://rubygems.org/gems/jruby-openssl
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/3172100441
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/3209968965
Suggested suppression rule
<suppress base="true">
<notes><![CDATA[
FP per issue #4649
]]></notes>
<packageUrl regex="true">^pkg:maven/rubygems/jruby\-openssl@.*$</packageUrl>
<cpe>cpe:/a:jruby:jruby</cpe>
<cpe>cpe:/a:openssl:openssl</cpe>
</suppress>
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/3209972664