-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: Numerous projects erroneously identified as Hamba avro #6102
Comments
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/6956918821 |
Non-public dependencies have to be mitigated by the authors themselves. The HTML report will have all evidences harvested by DependencyCheck. You'll likely to find avro references in all of them (in some other item than the groupId/ artifactId). |
You are right, the mentioned dependency has the word avro in its description. My point is that the CPE should match hamba avro only, not everything with avro in it. There have been several similar cases in the past with identifiers like xxx_project, matching xxx in a lot of other packages. |
Package URl
pkg:maven/com.syniverse.gsm.etl/[email protected]
CPE
cpe:2.3:a:avro_project:avro:2.10.0:*:*:*:*:*:*:*
CVE
No response
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
8.4.3
Description
The mentioned package and many other of our internal packages are identified as Hamba avro. Some of the packages have "avro" in their names and some do not.
The text was updated successfully, but these errors were encountered: