-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: IronPython:2.7.11 is marked by Dependency-Check 9.0.9 as CRITICAL what is False Positive #6435
Comments
Error parsing package url: https://www.nuget.org/packages/IronPython/2.7.11. Error: Error: purl is missing the required "pkg" scheme component. Please correct the package URL - consider copying the package url from the HTML report. |
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/7725260056 |
Nuget Coordinates dotnet add package IronPython --version 2.7.11 Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6435
]]></notes>
<packageUrl regex="true">^pkg:nuget/IronPython@.*$</packageUrl>
<cpe>cpe:/a:python:python</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7790776565 |
This suppression seems legit @aikebah - what do you think? IronPython and CPyrthon are versioned independently even if they do share code in some versions, it's not appropriate to match in this way IMHO. IronPython would need its own CPE (and probably does have). |
@chadlwilson agreed, the two projects are unrelated (except for both being an implementation of an interpreter for the Python language) and NVD would use a separate CPE for IronPython should a CVE be published for it. approved |
Suppress rule has been added to the |
Package URl
pkg:nuget/[email protected]
CPE
cpe:2.3:a:python:python:2.7.11:::::::* (Confidence:Low)
CVE
CVE-2016-5636, CVE-2016-5636, CVE-2016-9063, CVE-2017-1000158, CVE-2018-1000802 and other as well
ODC Integration
{"label"=>"CLI"}
ODC Version
9.0.9
Description
In the case of the library itself in version 2.7.11 uses CPython in version 2.7.18, and most vulnerabilities are related to CPython in versions lower than 2.7.18 due to the fact that the library has a different versioning model than CPython. As a result, Dependency-Check marked this dependency as CRITICAL, which is not true.
IronPython - CPython Dependencies
Report in Json for IronPython 2.7.11
dependency-check-report.json
Sonatype report:
https://ossindex.sonatype.org/component/pkg:nuget/[email protected]?utm_source=dependency-check&utm_medium=integration&utm_content=9.0.9
The text was updated successfully, but these errors were encountered: