[FP]:Mono.Cecil

[YaminiLupane]

Package URl

pkg:generic/[email protected]

CPE

cpe:2.3:a:cecil:cecil:0.11.5.0:::::::*

CVE

CVE-2023-4914

ODC Integration

None

ODC Version

8.4.3

Description

Vulnerability in https://github.com/cecilapp/cecil/commit/00dc79f10ce723034b7140d79f4ac731d1d902eb is reported for package "Mono.Cecil.". Source :https://github.com/jbevain/cecil It should refer the package from the source repository but instead of that it is referring from https://github.com/cecilapp/cecil Hence showing the "Mono.Cecil." package as vulnerable.

[HarshalSuple]

Hello @jeremylong, we are getting this vulnerability in couple of more projects. When can get an update/solution on this issue? Thanks!!

[aikebah]

@HarshalSuple @YaminiLupane can one of you validate that my hand-crafted suppression for this issue actually works? (I'm quite confident based on the info provided in the ticket, but I don't have an appropriate environment to validate it). If validated to be working I can add it to the sources that will be included in the hosted suppressions the next time our FP resolution workflow gets triggered by accepting an automation-proposed suppression on one of the other FP tickets.

    <suppress base="true">
       <notes><![CDATA[
       FP per issue #6257
       ]]></notes>
       <packageUrl regex="true">^pkg:generic/Mono.Cecil@.*$</packageUrl>
       <cpe>cpe:/a:cecil:cecil</cpe>
    </suppress>

[Akash-2001-git]

@aikebah yes this works....

[mushu999]

I am still getting this false positive in the latest version (9.2.0) -- is it supposed to be automagically suppressed now, or do I have to manually add the supporess code myself?

[aikebah]

@mushu999 Thanks for pinging on this issue, I somehow missed the response of @Akash-2001-git Should land in the hosted suppressions soon