DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

[FP]: openhtmltopdf-jsoup-dom-converter-1.0.0.jar flagged with cpe:2.3:a:jsoup:jsoup:1.0.0:*:*:*:*:*:*:*

Open cmuchinsky opened this issue 3 years ago • 2 comments

Package URl

pkg:maven/com.openhtmltopdf/[email protected]

CPE

cpe:2.3:a:jsoup:jsoup:1.0.0:::::::*

CVE

CVE-2021-37714, CVE-2015-6748

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

7.1.1

Description

openhtmltopdf-jsoup-dom-converter-1.0.0.jar flagged with cpe:2.3:a:jsoup:jsoup:1.0.0:::::::*

cmuchinsky avatar Aug 03 '22 13:08 cmuchinsky

Maven Coordinates

<dependency>
   <groupId>com.openhtmltopdf</groupId>
   <artifactId>openhtmltopdf-jsoup-dom-converter</artifactId>
   <version>1.0.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4729
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.openhtmltopdf/openhtmltopdf-jsoup-dom-converter@.*$</packageUrl>
   <cpe>cpe:/a:jsoup:jsoup</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2789688299

github-actions[bot] avatar Aug 03 '22 13:08 github-actions[bot]

The transitive dependency on jsoup has a vulnerability, but this library itself is not vulnerable

cmuchinsky avatar Aug 03 '22 13:08 cmuchinsky

@cmuchinsky Fully agree on the FP, but did you also spot that the library is deprecated for removal and advertises to change to using the Jsoup provided W3CDom helper class?

aikebah avatar Sep 20 '22 19:09 aikebah

approved

aikebah avatar Sep 20 '22 19:09 aikebah

Suppress rule has been added to the generatedSuppressions branch.

github-actions[bot] avatar Sep 20 '22 19:09 github-actions[bot]