-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: False positive for CVE-2024-35255 in com.microsoft.azure/[email protected] #6840
Comments
Maven Coordinates <dependency>
<groupId>com.microsoft.azure</groupId>
<artifactId>msal4j</artifactId>
<version>1.15.1</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6840
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j@.*$</packageUrl>
<cpe>cpe:/a:microsoft:authentication_library</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9941860681 |
Maven Coordinates <dependency>
<groupId>com.microsoft.azure</groupId>
<artifactId>msal4j</artifactId>
<version>1.15.1</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6840
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j@.*$</packageUrl>
<cpe>cpe:/a:microsoft:authentication_library</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9941871855 |
Maven Coordinates <dependency>
<groupId>com.microsoft.azure</groupId>
<artifactId>msal4j</artifactId>
<version>1.15.1</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6840
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j@.*$</packageUrl>
<cpe>cpe:/a:microsoft:authentication_library</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9941886001 |
Not good. This also suppresses true positives. The match to What is the correct syntax in suppressions.xml for that? Thanks in advance for your help. BTW: Does suppressions.xml really only accept CPE 2.2 and not CPE 2.3? Would be nice to have CPE 2.3 in suppressions.xml, so it is aligned with the report. |
Hi, Thank you for your response. I just wanted to report that the Could you please advise on how to proceed or if there are any additional steps I need to take to ensure this false positive is properly handled? Thank you in advance for your help. |
I had similar finding to @matthiaskraaz, which is that libraries/versions for other languages (e.g. Python and JavaScript) are getting matched |
Hi, is there any update on this? |
Any news? |
Maybe an entry in a hintsFile is the right solution. But I have given up after endless experimentation. |
Package URl
pkg:maven/com.microsoft.azure/[email protected]
CPE
cpe:2.3:a:microsoft:authentication_library:1.15.1:::::::*
CVE
CVE-2024-35255
ODC Integration
{"label"=>"CLI"}
ODC Version
10.0.2
Description
The msal4j library version
1.15.1
is marked as excluded for CVE-2024-35255, but is still being reported as vulnerable. This appears to be a false positive, as the vulnerability should not apply to versions1.15.1
and above.The text was updated successfully, but these errors were encountered: