DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

[FP]: False Positive Nuget Azure.Identity

Open creasoft-dag opened this issue 1 year ago • 3 comments

Package URl

pkg:generic/[email protected]

CPE

cpe:2.3:a:microsoft:azure_identity_sdk:1.1000.323.51804:::::::* (Confidence:Low)

CVE

CVE-2023-36415

ODC Integration

{"label"=>"CLI"}

ODC Version

8.3.1

Description

Hi,

we get a false positive for the Azure.Identity nuget package. File version of the dll is set to: 1.1000.323.51804 Product version to: 1.10.3+a4954......

image

The vulnerability should be fixed from 1.10.2 and up.

Best regards, Daniel

creasoft-dag avatar Nov 20 '23 14:11 creasoft-dag

Error parsing package url: https://www.nuget.org/packages/Azure.Identity/1.10.3.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

github-actions[bot] avatar Nov 20 '23 14:11 github-actions[bot]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/6931500863

github-actions[bot] avatar Nov 20 '23 14:11 github-actions[bot]

We are also facing same false positive vulnerability. When can we expect a solution?

a20nitin avatar Jan 18 '24 11:01 a20nitin