-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: protobuf-java 4.x release candidates flagged with CVE-2022-3171 #6361
Comments
Maven Coordinates <dependency>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
<version>4.0.0-rc-2</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6361
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.protobuf/protobuf-java@.*$</packageUrl>
<cpe>cpe:/a:com.google.protobuf:protobuf-java</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7414370161 |
I've found this same issue is happening with CVE-2022-3509 as well. Both 4.0.0-rc-1 and 4.0.0-rc-2 are being flagged with this CVE despite these versions being outside the range of its vulnerable CPEs. |
The 'OSSINDEX' suffix to the CVE in the report means that the researchers of OSSINDEX classified that library as vulnerable to the same issue. Whether or not that is valid is up to you to further validate and discuss with the people at OSSINDEX. |
@aikebah - Maybe I'm looking in the wrong place but the OSSINDEX page on GitHub and Sonatype only list 3.x versions as vulnerable. None of the resources I have found indicate that 4.x releases should be considered in the vulnerable range. Is there somewhere else I should be looking? Edit: Nevermind, I see the version isn't listed in the vulnerability description on the index but the vulnerability is listed on the specific page for that version. I'll follow-up there. |
@cdcnw The report created shows |
The CPE links to https://ossindex.sonatype.org/component/pkg:maven/com.google.protobuf/[email protected]?utm_source=dependency-check&utm_medium=integration&utm_content=9.0.7 |
Package URl
pkg:maven/com.google.protobuf/[email protected]
CPE
cpe:2.3:a:com.google.protobuf:protobuf-java:4.0.0-rc-2:*:*:*:*:*:*:*
CVE
CVE-2022-3171
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
9.0.7
Description
OWASP Dependency Check is incorrectly flagging protobuf-java 4.0.0-rc-2 and 4.0.0-rc-1 with CVE-2022-3171. According to the CPEs currently published to the NVD, no 4.x releases of this JAR should be considered vulnerable. From the NVD:
The CPEs all have an upper limit in the 3.x range so this appears to be an issue with ODC and not the NVD's data.
The text was updated successfully, but these errors were encountered: