Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Negative on bc-fips-1.0.2.jar and PyYAML:5.1.2 #3804

Closed
Anshu2405 opened this issue Nov 17, 2021 · 1 comment
Closed

False Negative on bc-fips-1.0.2.jar and PyYAML:5.1.2 #3804

Anshu2405 opened this issue Nov 17, 2021 · 1 comment
Labels
FP Report pending more information

Comments

@Anshu2405
Copy link

CVE-2020-15522 might be false negative on library for org.bouncycastle:bc-fips:1.0.2.
CVE-2019-20477 ,CVE-2020-14343 and CVE-2020-1747 might be false negative on library for PyYAML:5.1.2 .

These CVEs are not reported by Dependency-check tool but reported by other open-source tools like Trivy.

Is this CVE actually belongs to org.bouncycastle:bc-fips:1.0.2 as per information on few sites? If yes, then it is false negative issue.

<dependency>
   <groupId>org.bouncycastle</groupId>
    <artifactId>bc-fips</artifactId>
    <version>1.0.2</version>
</dependency>

PyYAML:5.1.2
@Anshu2405 Anshu2405 changed the title False Positive on bc-fips-1.0.2.jar and PyYAML:5.1.2 False Negative on bc-fips-1.0.2.jar and PyYAML:5.1.2 Nov 17, 2021
@aikebah
Copy link
Collaborator

aikebah commented Jun 8, 2022

bc-fips vulnerability is properly detected (Maven plugin 7.1.0). Not sure how to properly validate the PyYAML CVEs, maybe you can retest?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FP Report pending more information
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jeremylong @aikebah @Anshu2405