DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

[FP]: CVE-2022-37422 incorrectly detected on pkg:maven/org.eclipse.microprofile.config/[email protected]

Open thescouser89 opened this issue 3 years ago • 2 comments

Package URl

pkg:maven/org.eclipse.microprofile.config/[email protected]

CPE

cpe:2.3:a:payara:payara:2.0.1:*:*:*:*:*:*:*

CVE

CVE-2022-37422

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

7.1.2

Description

I have Java project using microprofile-config-api, which is pulled as a dependency from Quarkus 2.11.3.Final.

The plugin is flagging it as CVE-2022-37422, however this is a payara issue, not a microprofile-config-api one.

thescouser89 avatar Aug 25 '22 21:08 thescouser89

Error parsing package url: pkg:maven/org.eclipse.microprofile.config/[email protected] .

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

github-actions[bot] avatar Aug 25 '22 21:08 github-actions[bot]

Maven Coordinates

<dependency>
   <groupId>org.eclipse.microprofile.config</groupId>
   <artifactId>microprofile-config-api</artifactId>
   <version>2.0.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4781
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.config/microprofile-config-api@.*$</packageUrl>
   <cpe>cpe:/a:payara:payara</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2929748193

github-actions[bot] avatar Aug 25 '22 21:08 github-actions[bot]

approved

aikebah avatar Sep 20 '22 18:09 aikebah

Suppress rule has been added to the generatedSuppressions branch.

github-actions[bot] avatar Sep 20 '22 18:09 github-actions[bot]