DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

[FP]: jruby-openssl confused for openssl itself

Open chadlwilson opened this issue 1 year ago • 1 comments

Package URl

pkg:maven/rubygems/[email protected]

CPE

cpe:/a:openssl:openssl

CVE

No response

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

7.1.1

Description

jruby-openssl is an emulation library that uses Java native crypto. It has nothing to do with openssl: https://github.com/jruby/jruby-openssl

chadlwilson avatar Jul 06 '22 15:07 chadlwilson

Bot cannot find the dependency as it's not in Maven Central. It's a JRuby java gem that relies on a special Gradle plugin/repository to resolve (and a dependency that is sometimes shaded into JRuby itself): https://rubygems.org/gems/jruby-openssl

chadlwilson avatar Jul 06 '22 15:07 chadlwilson

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/3172085452

github-actions[bot] avatar Oct 03 '22 06:10 github-actions[bot]

Since the bot can't handle this automatically due to use of the RubyGems Maven repo; closing in favour of #4649

chadlwilson avatar Oct 08 '22 09:10 chadlwilson