DependencyCheck
DependencyCheck copied to clipboard
[FP]: jruby-openssl confused for openssl itself
Package URl
pkg:maven/rubygems/[email protected]
CPE
cpe:/a:openssl:openssl
CVE
No response
ODC Integration
{"label"=>"Gradle Plugin"}
ODC Version
7.1.1
Description
jruby-openssl is an emulation library that uses Java native crypto. It has nothing to do with openssl: https://github.com/jruby/jruby-openssl
Bot cannot find the dependency as it's not in Maven Central. It's a JRuby java gem that relies on a special Gradle plugin/repository to resolve (and a dependency that is sometimes shaded into JRuby itself): https://rubygems.org/gems/jruby-openssl
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/3172085452
Since the bot can't handle this automatically due to use of the RubyGems Maven repo; closing in favour of #4649