[FP]: Azure SDK for Java

[rmn7]

Package URl

pkg:maven/com.azure/[email protected]

CPE

cpe:2.3:a:microsoft:azure_sdk_for_java:1.44.1:*:*:*:*:*:*:*

CVE

CVE-2023-36052

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

8.2.1

Description

This only affects the azure cli but is matching for the azure java sdk. Check: https://nvd.nist.gov/vuln/detail/CVE-2023-36052

It also incorrectly matches on other com.azure packages:

azure-core-1.44.1.jar (pkg:maven/com.azure/[email protected], cpe:2.3:a:microsoft:azure_cli:1.44.1:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_sdk_for_java:1.44.1:*:*:*:*:*:*:*) : CVE-2023-36052
azure-core-http-netty-1.13.9.jar (pkg:maven/com.azure/[email protected], cpe:2.3:a:microsoft:azure_cli:1.13.9:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_sdk_for_java:1.13.9:*:*:*:*:*:*:*) : CVE-2023-36052
azure-core-management-1.11.5.jar (pkg:maven/com.azure/[email protected], cpe:2.3:a:microsoft:azure_cli:1.11.5:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_sdk_for_java:1.11.5:*:*:*:*:*:*:*) : CVE-2023-36052
azure-identity-1.10.4.jar (pkg:maven/com.azure/[email protected], cpe:2.3:a:microsoft:azure_cli:1.10.4:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_identity_sdk:1.10.4:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_sdk_for_java:1.10.4:*:*:*:*:*:*:*) : CVE-2023-36052
azure-json-1.1.0.jar (pkg:maven/com.azure/[email protected], cpe:2.3:a:microsoft:azure_cli:1.1.0:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_sdk_for_java:1.1.0:*:*:*:*:*:*:*) : CVE-2023-36052
azure-resourcemanager-2.31.0.jar (pkg:maven/com.azure.resourcemanager/[email protected], cpe:2.3:a:microsoft:azure_cli:2.31.0:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_sdk_for_java:2.31.0:*:*:*:*:*:*:*) : CVE-2023-36052
azure-resourcemanager-msi-2.31.0.jar (pkg:maven/com.azure.resourcemanager/[email protected], cpe:2.3:a:microsoft:azure_cli:2.31.0:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_identity_sdk:2.31.0:*:*:*:*:*:*:*, cpe:2.3:a:microsoft:azure_sdk_for_java:2.31.0:*:*:*:*:*:*:*) : CVE-2023-36052

[github-actions]

Maven Coordinates

<dependency>
   <groupId>com.azure</groupId>
   <artifactId>azure-core</artifactId>
   <version>1.44.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6100
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.azure/azure-core@.*$</packageUrl>
   <cpe>cpe:/a:microsoft:azure_sdk_for_java</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6955184981

[Dhanxy]

This is a false positive?. I have uploaded to the latest version and I still have the same vulnerability

[marcelstoer]

@aikebah how could a proper suppression look like? Would we need a (more) wildcard package URL or several individual suppressions?

Excerpt from the HTML report below.

[marcelstoer]

@aikebah @jeremylong do you think this is something we can expect a suppression for any time soon?