-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: com.itextpdf/itextpdf get reported as iText pacakge (Not the same package) #6877
Comments
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10180441915 |
Duplicate of #6722? |
Yes, it is, sorry I did not noted this one. But I guess we wither keep it here or reopen, as itextpdf latest version is 5.5.13.4, while in CVD descprition it is stated that issue is in itext 7.1.17, and fixed in itext 7.1.18 , which makes no sense given completely different versions on itextpdf package. Replying to this part of your comment there
We are not, but this is not iText package, but itextpdf package, which is completely different package with different versioning (And with some of own vulnerabilities reported to its previous versions), and doing different thing (iText is for parsing of PDF content, while itextpdf is for creating PDFs). |
Regarding your
That's simply not true, the itextpdf artifact is an EOL remnant of the Java 5 era compatible iText 5, but clearly advertises that users should upgrade to current iText which is its replacement. As clearly stated in their own readme on github:
|
Right, and also on same readme page it is stated, that there are security fixes applied to itextpdf 5 , that is why the version is getting updated with different values. From what I've seen on CVD description and how the itextpdf works, I think it is still false positive for itextpdf part of itext (And neither the code, neither the logic is present on itextpdf) I mean, I understand that we should update to iText 7 here. That is compeltely different story |
Which is why the right way to deal with these assumed FPs is to contact NVD about it so that they can (if they agree) adjust the applicable version ranges to something that excludes non-vulnerable ranges of lower major versions. DependencyCheck is simply correctly reporting that "according to the vulnerability data of the NVD" any version of itext lower than 7.2.2 is vulnerable to From the textual description it appears as if also a minimum version (a from/to range for 7.1.7 up to excluding 7.2.2) should be applied, but for unknown reasons NVD has only registered the 'up to excluding' with no lower bound. |
Package URl
pkg:maven/com.itextpdf/itextpdf
CPE
cpe:2.3:a:itextpdf:itext::::::::
CVE
CVE-2022-24196, CVE-2022-24197
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
10.0.3
Description
No response
The text was updated successfully, but these errors were encountered: