DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

[FP]: CVE-2022-1799 false positive reported after play-services-basement is updated to 18.0.2

Open y25zhao opened this issue 3 years ago • 2 comments

Package URl

pkg:maven/com.google.android.gms/[email protected]

CPE

cpe:2.3:a:com.google.android.gms:play-services-basement:18.0.2:::::::*

CVE

CVE-2022-1799

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

7.1.1

Description

According to https://developers.google.com/android/guides/releases release note, May 03, 2022 (18.0.2) release for play-services-basement should have addressed this vulnerability. However, dependency-check report still shows 18.0.2 as affected version. The NVD - CVE-2022-1799 link: https://nvd.nist.gov/vuln/detail/CVE-2022-1799#range-8195910 also says affected software configurations is Up to (excluding) 18.0.2. Please consider fixing this at earliest possible as it is blocking our build pipeline. Thanks

y25zhao avatar Aug 15 '22 22:08 y25zhao

Error parsing package url: https://mvnrepository.com/artifact/com.google.android.gms/play-services-basement.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

github-actions[bot] avatar Aug 15 '22 22:08 github-actions[bot]

URL Updated

y25zhao avatar Aug 15 '22 22:08 y25zhao

This appears to be a metadata mismatch in OSSIndex, please raise the issue with them as they still flag 18.0.2 as subject to the CVE.

aikebah avatar Dec 07 '22 18:12 aikebah