False Positive on activemq-all-5.15.11.jar

[Anshu2405]

False positive on library activemq-all-5.15.11.jar - reported as cpe:2.3:a:apache:activemq:5.15.11:::::::*

<dependency>
    <groupId>org.apache.activemq</groupId>
    <artifactId>activemq-all</artifactId>
    <version>5.15.11</version>
</dependency>

[aikebah]

Why do you think this is a FP match? Because it looks to me like the correct CPE was linked to the library mentioned.

[Anshu2405]

CPE is correctly matched with the library but there are no CVEs reported for the same.

Link :
https://nvd.nist.gov/products/cpe/search/results?keyword=cpe%3a2.3%3aa%3aapache%3aactivemq%3a5.15.11%3a*%3a*%3a*%3a*%3a*%3a*%3a*&status=FINAL&orderBy=CPEURI&namingFormat=2.3

[aikebah]

What is the False Positive that you get for it?

Because you should not get any CVE for it.

[aikebah]

Apologies... I missed the template for FPs which prescribes exactly the format you used for reporting. Looking at the CVEs reported I share your view that they should all be suppressed as they do not apply to the pieces packaged in activemq's libraries.

[aikebah]

@jeremylong What would be a proper solution for this?

I don't think it should be an addition to the current base suppression rules. They are already to generic for activemq libraries as they already filter out e.g. CVE-2015-7559 and CVE-2018-11775, CVE-2017-15709 for known-vulnerable client-code of activemq.

I think for the activemq cases we would be better off with developers defining their suppressions themselves of known-not-vulnerable components rather than excluding the entire cpe in the base suppressions.

The CVEs currently reported on activemq-all:5.15.11 (CVE-2015-5182 CVE-2015-5183 and CVE-2015-5184) are all truly unrelated to the activemq libraries as they are vulnerabilities of additional libraries included in the server-install of activemq or even only the server-install of Red Hat's A-MQ packaging of activemq (the vulnerabilities are in the jolokia API (which is used in both activemq server and A-MQ) and the HawtIO web interface (only A-MQ, activemq server comes with a more back-to-basics web-interface))

[jeremylong]

@aikebah I agree we should probably remove the base suppression that is already present.

Things like Active MQ do present more of a challenge. For the uses cases for ODC I wonder iff we could add something like:

<suppress>
   <notes><![CDATA[
   file name: activemq-all-5.15.11.jar
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.apache\.activemq/.*$</packageUrl>
   <cve>CVE-2015-5182</cve>
   <cve>CVE-2015-5183</cve>
   <cve>CVE-2015-5184</cve>
</suppress>

Then again - I've seen people use ODC in unexpected ways... So I tend to agree with you - maybe we should leave AMQ alone and let developers manager this in their own scans.

[jeremylong]

Suppression rules were added for the specific CVEs. New CVEs may come up in the future...