Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive on undertow-core #2026

Closed
OrangeDog opened this issue Jun 27, 2019 · 2 comments
Closed

False Positive on undertow-core #2026

OrangeDog opened this issue Jun 27, 2019 · 2 comments
Labels
FP Report
Milestone
5.1.1

Comments

@OrangeDog
Copy link

False positive on library undertow-core-2.0.21.Final.jar - reported as cpe:2.3:a:redhat:undertow:2.0.21:*:*:*:*:*:*:*

<dependency>
   <groupId>io.undertow</groupId>
   <artifactId>undertow-core</artifactId>
   <version>2.0.21.Final</version>
</dependency>

New in 5.0.0 (compared to 4.0.2) this dependency has CVE-2018-1067 detected.
It looks like the NVD is using the JBoss version instead of the Undertow version? However, this wasn't a problem on the previous plugin release.
@OrangeDog OrangeDog mentioned this issue Jul 8, 2019
Closed
@OrangeDog
Copy link
Author

See also OSSIndex/vulns#12

@OrangeDog
Copy link
Author

The RedHat distribution uses the JBoss version for all components.
The Maven distributions should not be identified with redhat CPEs.

<suppress>
    <packageUrl regex="true">^pkg:maven/io\.undertow/.*$</packageUrl>
    <cpe>cpe:/a:redhat:undertow</cpe>
</suppress>

@jeremylong jeremylong added this to the 5.1.1 milestone Jul 15, 2019
jeremylong added a commit that referenced this issue Jul 15, 2019
@jeremylong
updates per #1877, #2026, #2029, #2030, #2031, #2047, #2050, #2069, and
faefb19 
#2070
@OrangeDog OrangeDog mentioned this issue Jul 17, 2019
Closed
@lock lock bot locked and limited conversation to collaborators Aug 14, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FP Report
Projects
None yet
Milestone
5.1.1
Development

No branches or pull requests
2 participants
@OrangeDog @jeremylong