[FP]: org.eclipse.jetty.toolchain/[email protected] is misidentified as a jetty 2.0.0 component #6798
Comments
|
Maven Coordinates <dependency>
<groupId>org.eclipse.jetty.toolchain</groupId>
<artifactId>jetty-jakarta-websocket-api</artifactId>
<version>2.0.0</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6798
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty-jakarta-websocket-api@.*$</packageUrl>
<cpe>cpe:/a:jetty:jetty</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9786401897 |
chadlwilson
added a commit
to chadlwilson/DependencyCheck
that referenced
this issue
Jul 4, 2024
Signed-off-by: Chad Wilson <[email protected]>
|
Thx, have raised a PR to try and make the suppression more generic to avoid playing "whack-a-mole" with these. |
jeremylong
pushed a commit
that referenced
this issue
Jul 4, 2024
Signed-off-by: Chad Wilson <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Package URl
pkg:maven/org.eclipse.jetty.toolchain/[email protected]
CPE
cpe:2.3:a:jetty:jetty:2.0.0:*:*:*:*:*:*:*CVE
No response
ODC Integration
None
ODC Version
10.0.1
Description
Hello! Thanks for all the hard work on DependencyCheck!
This seems similar to #6666.
The package
pkg:maven/org.eclipse.jetty.toolchain/[email protected]is being classified as a Jetty 2.0.0 package (cpe:2.3:a:eclipse:jetty:2.0.0:*:*:*:*:*:*:*andcpe:2.3:a:jetty:jetty:2.0.0:*:*:*:*:*:*:*), although it ships with Jetty 11. The package version is independent of the Jetty release version and describes the WebSocket API version.This triggers a bunch of false positive CVEs related to older versions of Jetty:
Here's a link to the artifact on Sonatype, if that helps:
https://central.sonatype.com/artifact/org.eclipse.jetty.toolchain/jetty-jakarta-websocket-api/2.0.0/versions
The text was updated successfully, but these errors were encountered: