DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

[FP]: False Positive for System.Threading.Tasks.Extensions.dll and its dependents

Open a20nitin opened this issue 1 year ago • 4 comments

Package URl

pkg:generic/[email protected]

CPE

cpe:2.3:a:tasks:tasks:4.6.24705.01:::::::*

CVE

CVE-2022-39349

ODC Integration

None

ODC Version

9.0.7

Description

This vulnerability as per description is for Tasks.org Android app but we are using this package in our .NET Web project. So, this vulnerability looks irrelevant for our case. So, package System.Threading.Tasks.Extensions and its dependent packages such as System.Threading.Tasks should not show any vulnerability for .NET Web project of ours.

CVE-2020-22475 for same packages is also similar case of android application vulnerability which seems to be false positive for our case, so should not get reflected as vulnerability for our project. image

a20nitin avatar Jan 18 '24 12:01 a20nitin

Is there any update on above mentioned false positive? @jeremylong @aikebah

a20nitin avatar Feb 02 '24 11:02 a20nitin

@jeremylong @aikebah any update on this false positive ticket??

Akash-2001-git avatar Feb 06 '24 08:02 Akash-2001-git

Hi @aikebah @jeremylong, Can you please expedite the process for this false positive. We are actually near to our release and these particular vulnerabilities causing failure to the pipelines. Please let us know the update. Thanks!!

HarshalSuple avatar Feb 06 '24 09:02 HarshalSuple

Facing same issue. Adding the suppression xmls:

<suppress>
   <notes><![CDATA[
   file name: System.Threading.Tasks.Extensions.dll
   ]]></notes>
   <packageUrl regex="true">^pkg:generic/System\.Threading\.Tasks\.Extensions@.*$</packageUrl>
   <cve>CVE-2022-39349</cve>
</suppress>

<suppress>
   <notes><![CDATA[
   file name: System.Threading.Tasks.Extensions:4.5.4
   ]]></notes>
   <packageUrl regex="true">^pkg:nuget/System\.Threading\.Tasks\.Extensions@.*$</packageUrl>
   <cve>CVE-2022-39349</cve>
</suppress>

<suppress>
   <notes><![CDATA[
   file name: System.Threading.Tasks.Extensions.dll
   ]]></notes>
   <packageUrl regex="true">^pkg:generic/System\.Threading\.Tasks\.Extensions@.*$</packageUrl>
   <cve>CVE-2020-22475</cve>
</suppress>

<suppress>
   <notes><![CDATA[
   file name: System.Threading.Tasks.Extensions:4.5.4
   ]]></notes>
   <packageUrl regex="true">^pkg:nuget/System\.Threading\.Tasks\.Extensions@.*$</packageUrl>
   <cve>CVE-2020-22475</cve>
</suppress>

Your support will be much appreciated. Thank you :)

StavHayounNoiberg avatar May 22 '24 12:05 StavHayounNoiberg