[FP]: System.Runtime.CompilerServices.Unsafe.dll

[HarshalSuple]

Package URl

pkg:generic/[email protected]

CPE

cpe:2.3:a:services_project:services:5.0.20.51904:::::::*

CVE

CVE-2014-9152

ODC Integration

None

ODC Version

9.0.7

Description

The false positive for the same vulnerability - "System.Runtime.CompilerServices.Unsafe.dll" was issued way back earlier by someone, don't have the link for it, also don't know if any action was taken.

But in many of our projects we are still facing this dependency check vulnerability issue. It has not been suppressed. And it is causing the pipeline failure.

@jeremylong @aikebah , Can you please help us with this issue, suppressing it. Thanks, waiting for the update.

[aikebah]

@HarshalSuple if you open the generated dependencycheck html report with a webbrowser it should have a 'suppress' button next to the improper CPE. That should yield you the suppression xml for it. Its selector would likely use a generic regex for the package-url without a version and the suppression would target suppression for the invalid CPE.

I think this FP was never reported, as I can find no trace of it in this project's issues

[StavHayounNoiberg]

Facing same issue. @aikebah here is the suppression xml:

<suppress>
   <notes><![CDATA[
   file name: System.Runtime.CompilerServices.Unsafe:6.0.0
   ]]></notes>
   <packageUrl regex="true">^pkg:nuget/System\.Runtime\.CompilerServices\.Unsafe@.*$</packageUrl>
   <cve>CVE-2014-9152</cve>
</suppress>

<suppress>
   <notes><![CDATA[
   file name: System.Runtime.CompilerServices.Unsafe.dll
   ]]></notes>
   <packageUrl regex="true">^pkg:generic/System\.Runtime\.CompilerServices\.Unsafe@.*$</packageUrl>
   <cve>CVE-2014-9152</cve>
</suppress>

[nurulam98]

Facing same issue with System.Runtime.CompilerServices.Unsafe:4.5.3