DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

[FP]: MongoDB.Bson identified as MongoDB

Open echalone opened this issue 1 year ago • 2 comments

Package URl

pkg:nuget/[email protected]

CPE

cpe:2.3:a:mongodb:mongodb:2.22.0:::::::*

CVE

No response

ODC Integration

None

ODC Version

9.0.8

Description

A false positive for the mongodb library (https://github.com/mongodb/mongo) is reported, when in reality it is the MongoDB.Bson NuGet package (https://www.nuget.org/packages/MongoDB.Bson).

echalone avatar Jan 09 '24 09:01 echalone

Nuget Coordinates

dotnet add package MongoDB.Bson --version 2.22.0

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6376
   ]]></notes>
   <packageUrl regex="true">^pkg:nuget/MongoDB\.Bson@.*$</packageUrl>
   <cpe>cpe:/a:mongodb:mongodb</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7459342995

github-actions[bot] avatar Jan 09 '24 09:01 github-actions[bot]

@echalone I'm pretty sure this related to https://github.com/jeremylong/DependencyCheck/issues/6358 We're facing similar problems because the ecosystem of mongodb:mongodb is (often) not consistent for all CPEs

BenniG82 avatar Jan 10 '24 07:01 BenniG82

approved

aikebah avatar Apr 13 '24 14:04 aikebah

Suppress rule has been added to the generatedSuppressions branch.

github-actions[bot] avatar Apr 13 '24 14:04 github-actions[bot]