-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: Azure SDK for Java #6100
Comments
Maven Coordinates <dependency>
<groupId>com.azure</groupId>
<artifactId>azure-core</artifactId>
<version>1.44.1</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6100
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure-core@.*$</packageUrl>
<cpe>cpe:/a:microsoft:azure_sdk_for_java</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6955184981 |
This is a false positive?. I have uploaded to the latest version and I still have the same vulnerability |
@aikebah how could a proper suppression look like? Would we need a (more) wildcard package URL or several individual suppressions? |
@aikebah @jeremylong do you think this is something we can expect a suppression for any time soon? |
Package URl
pkg:maven/com.azure/[email protected]
CPE
cpe:2.3:a:microsoft:azure_sdk_for_java:1.44.1:*:*:*:*:*:*:*
CVE
CVE-2023-36052
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
8.2.1
Description
This only affects the azure cli but is matching for the azure java sdk. Check: https://nvd.nist.gov/vuln/detail/CVE-2023-36052
It also incorrectly matches on other
com.azure
packages:The text was updated successfully, but these errors were encountered: