-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: org.eclipse.jetty.toolchain/[email protected] is misidentified as a jetty 2.0.0 component #6798
Comments
Maven Coordinates <dependency>
<groupId>org.eclipse.jetty.toolchain</groupId>
<artifactId>jetty-jakarta-websocket-api</artifactId>
<version>2.0.0</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6798
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty-jakarta-websocket-api@.*$</packageUrl>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9786401897 |
chadlwilson
added a commit
to chadlwilson/DependencyCheck
that referenced
this issue
Jul 4, 2024
Signed-off-by: Chad Wilson <[email protected]>
Thx, have raised a PR to try and make the suppression more generic to avoid playing "whack-a-mole" with these. |
jeremylong
pushed a commit
that referenced
this issue
Jul 4, 2024
Signed-off-by: Chad Wilson <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Package URl
pkg:maven/org.eclipse.jetty.toolchain/[email protected]
CPE
cpe:2.3:a:jetty:jetty:2.0.0:*:*:*:*:*:*:*
CVE
No response
ODC Integration
None
ODC Version
10.0.1
Description
Hello! Thanks for all the hard work on DependencyCheck!
This seems similar to #6666.
The package
pkg:maven/org.eclipse.jetty.toolchain/[email protected]
is being classified as a Jetty 2.0.0 package (cpe:2.3:a:eclipse:jetty:2.0.0:*:*:*:*:*:*:*
andcpe:2.3:a:jetty:jetty:2.0.0:*:*:*:*:*:*:*
), although it ships with Jetty 11. The package version is independent of the Jetty release version and describes the WebSocket API version.This triggers a bunch of false positive CVEs related to older versions of Jetty:
Here's a link to the artifact on Sonatype, if that helps:
https://central.sonatype.com/artifact/org.eclipse.jetty.toolchain/jetty-jakarta-websocket-api/2.0.0/versions
The text was updated successfully, but these errors were encountered: