DependencyCheck
DependencyCheck copied to clipboard
jeremylong
[FP]: CVE-2023-36415 still found in azure-identity 1.10.3
Package URl
pkg:maven/com.azure/[email protected]
CPE
cpe:2.3:a:microsoft:azure_identity_sdk:1.10.3:*:*:*:*:*:*:* cpe:2.3:a:microsoft:azure_sdk_for_java:1.10.3:*:*:*:*:*:*:*
CVE
CVE-2023-36415
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
8.4.0
Description
According to https://nvd.nist.gov/vuln/detail/CVE-2023-36415, this CVE affects Up to (excluding) 1.10.2, but both in 1.10.2 and 1.10.3 it is reported as present.
Maven Coordinates
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity</artifactId>
<version>1.10.3</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #5992
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure-identity@.*$</packageUrl>
<cpe>cpe:/a:microsoft:azure_identity_sdk</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6531560682
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Would require an enhancement where the language field of NVD data is taken into account as this CPE has per platform(programming language) a different unbounded up-to-excluding listing https://nvd.nist.gov/vuln/detail/CVE-2023-36415 leading to the java version being checked against the python version range
That language constraint for CPEs seems pretty important! Perhaps worth being on its own ticket? I have several exclusions in my false positives file where the CPE is for a different language.
@martin-traverse only relevant for multi-language frameworks like this one, as for single language libs the language component is typically left out in the CPE coordinates