[FP]: Wrongly reporting vulnerability CVE-2016-1405 on clamav-client-1.0.1.jar #7017
Comments
|
Maven Coordinates <dependency>
<groupId>fi.solita.clamav</groupId>
<artifactId>clamav-client</artifactId>
<version>1.0.1</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #7017
]]></notes>
<packageUrl regex="true">^pkg:maven/fi\.solita\.clamav/clamav-client@.*$</packageUrl>
<cpe>cpe:/a:clamav:clamav</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11228880964 |
|
Correction on above description - Impacts on "clamav:clamav" packages, not on open id. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Package URl
pkg:maven/fi.solita.clamav/[email protected]
CPE
cpe:2.3:a:clamav:clamav::::::::
CVE
CVE-2016-1405
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
10.0.2
Description
Per NVD Affected component: cpe:2.3:a:clamav:clamav::::::::
This https://nvd.nist.gov/vuln/detail/CVE-2016-1405 impacts only on "openid.net" packages as per NVD and cpe provided. But tool is reporting https://nvd.nist.gov/vuln/detail/CVE-2016-1405 on "fi.solita.clamav/[email protected]" jars as well which is wrong.
From Dependency Check tool team, we need confirmation on these false positives. Could you please validate and confirm?
The text was updated successfully, but these errors were encountered: