-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False Positive on activemq-all-5.15.11.jar #2483
Comments
Why do you think this is a FP match? Because it looks to me like the correct CPE was linked to the library mentioned. |
CPE is correctly matched with the library but there are no CVEs reported for the same. |
What is the False Positive that you get for it? Because you should not get any CVE for it. |
Apologies... I missed the template for FPs which prescribes exactly the format you used for reporting. Looking at the CVEs reported I share your view that they should all be suppressed as they do not apply to the pieces packaged in activemq's libraries. |
@jeremylong What would be a proper solution for this? I don't think it should be an addition to the current base suppression rules. They are already to generic for activemq libraries as they already filter out e.g. CVE-2015-7559 and CVE-2018-11775, CVE-2017-15709 for known-vulnerable client-code of activemq. I think for the activemq cases we would be better off with developers defining their suppressions themselves of known-not-vulnerable components rather than excluding the entire cpe in the base suppressions. The CVEs currently reported on activemq-all:5.15.11 (CVE-2015-5182 CVE-2015-5183 and CVE-2015-5184) are all truly unrelated to the activemq libraries as they are vulnerabilities of additional libraries included in the server-install of activemq or even only the server-install of Red Hat's A-MQ packaging of activemq (the vulnerabilities are in the jolokia API (which is used in both activemq server and A-MQ) and the HawtIO web interface (only A-MQ, activemq server comes with a more back-to-basics web-interface)) |
@aikebah I agree we should probably remove the base suppression that is already present. Things like Active MQ do present more of a challenge. For the uses cases for ODC I wonder iff we could add something like: <suppress>
<notes><![CDATA[
file name: activemq-all-5.15.11.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.activemq/.*$</packageUrl>
<cve>CVE-2015-5182</cve>
<cve>CVE-2015-5183</cve>
<cve>CVE-2015-5184</cve>
</suppress> Then again - I've seen people use ODC in unexpected ways... So I tend to agree with you - maybe we should leave AMQ alone and let developers manager this in their own scans. |
Suppression rules were added for the specific CVEs. New CVEs may come up in the future... |
False positive on library activemq-all-5.15.11.jar - reported as cpe:2.3:a:apache:activemq:5.15.11:::::::*
The text was updated successfully, but these errors were encountered: