Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FP]: CVE-2019-12401 org.codehaus.woodstox:wstx-asl:3.2.6 identified as vulnerable for Apache Solr #7212

Open
rochish-suresh opened this issue Dec 3, 2024 · 3 comments
Labels
FP Report maven changes to the maven plugin ossindex Label for issues that relate to the OSSIndex API won't fix

Comments

@rochish-suresh
Copy link

rochish-suresh commented Dec 3, 2024

Package URl

pkg:maven/org.codehaus.woodstox/[email protected]

CPE

cpe:2.3:a:org.codehaus.woodstox:wstx-asl:3.2.6:::::::*

CVE

CVE-2019-12401

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

10.0.3

Description

In our project wstx-asl is transitive from https://mvnrepository.com/artifact/org.apache.abdera/abdera-parser/1.1.3

Copy link
Contributor

github-actions bot commented Dec 3, 2024

Maven Coordinates

<dependency>
   <groupId>org.codehaus.woodstox</groupId>
   <artifactId>wstx-asl</artifactId>
   <version>3.2.6</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7212
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.codehaus\.woodstox/wstx-asl@.*$</packageUrl>
   <cpe>cpe:/a:org.codehaus.woodstox:wstx-asl</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/12142917822

@github-actions github-actions bot added the maven changes to the maven plugin label Dec 3, 2024
Copy link
Contributor

github-actions bot commented Dec 3, 2024

Maven Coordinates

<dependency>
   <groupId>org.codehaus.woodstox</groupId>
   <artifactId>wstx-asl</artifactId>
   <version>3.2.6</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7212
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.codehaus\.woodstox/wstx-asl@.*$</packageUrl>
   <cpe>cpe:/a:org.codehaus.woodstox:wstx-asl</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/12142974232

@aikebah
Copy link
Collaborator

aikebah commented Dec 8, 2024

Not a false positive, it's not identified as Apache SOLR, but OSSINDEX has listed the library as subject to the vulnerability. Whether or not that would be correct is something to take up with the folks over at OSSINDEX. ODC correctly reports that OSSINDEX links the CVE also to this library

@aikebah aikebah added won't fix ossindex Label for issues that relate to the OSSIndex API labels Dec 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
FP Report maven changes to the maven plugin ossindex Label for issues that relate to the OSSIndex API won't fix
Projects
None yet
Development

No branches or pull requests

2 participants