False Positive: CVE-2022-34169 CVE-2014-0107 xalan-2.7.1.jbossorg-6 in wildfly 26.1.3.Final #1732
Comments
|
Hi @bhreddy83, thanks very much for the report. I'm not super familiar with Wildly. I did a quick search on DockerHub, and there are a lot of images with wildfly in the name. https://hub.docker.com/r/bitnami/wildfly seems like a good candidate, but I don't see a tag called I think what you're saying is, "I have an image built with |
|
I am utilizing the source code from the WildFly repository version 26.1.3.Final, available at https://github.com/wildfly/wildfly/tree/26.1.3.Final, to build WildFly. Notably, in the pom.xml file at line 389, the xlan version is specified as 2.7.1.jbossorg-6. |
bhreddy83
changed the title
What happened:
When scan on a wildfly(26.1.3.Final) container which has xalan custom fork 2.7.1.jbossorg-6, the following vulnerabilities are reported.
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
xalan 2.7.1.jbossorg-6 2.7.2 java-archive GHSA-rc2w-r4jq-7pfx High
xalan 2.7.1.jbossorg-6 2.7.3 java-archive GHSA-9339-86wc-4qgf High
These are linked to CVE-2014-0107 and CVE-2022-34169.
What you expected to happen:
According to Wildfly community, xalan-2.7.1.jbossorg-6, both CVE-2014-0107 and CVE-2022-34169 are not affected. Probably Grype is comparing to NVD, anything less than 2.7.3 is at fault.
Upon inquiry to the community regarding the latest version with fixes for identified vulnerabilities, feedback indicated that reports in Maven Central were false positives. The custom fork, version 2.7.1.jbossorg-6, indeed addresses these vulnerabilities, as evidenced by the following commits.
CVE-2014-0107 - jboss/xalan-j@534f2d3
CVE-2022-34169 - jboss/xalan-j@1e91610
Environment:
Output of
grype version:Application: grype
Version: 0.70.0
BuildDate: 2023-10-11T00:36:57Z
GitCommit: 7e5df38
GitDescription: v0.70.0
Platform: linux/amd64
GoVersion: go1.21.1
Compiler: gc
Syft Version: v0.93.0
Supported DB Schema: 5
wildfly: 26.1.3.Final
The text was updated successfully, but these errors were encountered: