DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

[FP]: jruby-openssl confused for jruby itself

Open chadlwilson opened this issue 1 year ago • 1 comments

Package URl

pkg:maven/rubygems/[email protected]

CPE

cpe:/a:jruby:jruby

CVE

No response

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

7.1.1

Description

jruby-openssl is an independently versioned add-on - not JRuby itself. https://github.com/jruby/jruby-openssl

chadlwilson avatar Jul 06 '22 15:07 chadlwilson

Bot cannot find the dependency as it's not in Maven Central. It's a JRuby java gem that relies on a special Gradle plugin/repository to resolve (and a dependency that is sometimes shaded into JRuby itself): https://rubygems.org/gems/jruby-openssl

chadlwilson avatar Jul 06 '22 15:07 chadlwilson

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/3172100441

github-actions[bot] avatar Oct 03 '22 06:10 github-actions[bot]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/3209968965

github-actions[bot] avatar Oct 08 '22 09:10 github-actions[bot]

Suggested suppression rule

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4649
   ]]></notes>
    <packageUrl regex="true">^pkg:maven/rubygems/jruby\-openssl@.*$</packageUrl>
    <cpe>cpe:/a:jruby:jruby</cpe>
    <cpe>cpe:/a:openssl:openssl</cpe>
</suppress>

chadlwilson avatar Oct 08 '22 09:10 chadlwilson

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/3209972664

github-actions[bot] avatar Oct 08 '22 09:10 github-actions[bot]