DependencyCheck
DependencyCheck copied to clipboard
jeremylong
[FP]: Keycloak-services for CVE-2021-3513
Package URl
pkg:maven/org.keycloak/[email protected]
CPE
cpe:2.3:a:keycloak:keycloak:6.0.1:::::::, cpe:2.3:a:redhat:keycloak:6.0.1:::::::
CVE
CVE-2021-3513
ODC Integration
None
ODC Version
9.1.0
Description
Actual vulnerable component is keycloak-services-6.0.1.jar
Error parsing package url: keycloak-6.0.1.zip: keycloak-common-6.0.1.jar.
Error: Error: purl is missing the required "pkg" scheme component.
Please correct the package URL - consider copying the package url from the HTML report.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/9111612593
Maven Coordinates
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-common</artifactId>
<version>6.0.1</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #6671
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak-common@.*$</packageUrl>
<cpe>cpe:/a:keycloak:keycloak</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9111683497
similar to #6672 it is a sublibrary of the keycloak project and therefor linked by us to any vulnerability listed in NVD against the CPE.
