[FP]: com.itextpdf/itextpdf get reported as iText pacakge (Not the same package)

[SergeS]

Package URl

pkg:maven/com.itextpdf/itextpdf

CPE

cpe:2.3:a:itextpdf:itext::::::::

CVE

CVE-2022-24196, CVE-2022-24197

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

10.0.3

Description

No response

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10180441915

[aikebah]

Duplicate of #6722?

[SergeS]

Yes, it is, sorry I did not noted this one.

But I guess we wither keep it here or reopen, as itextpdf latest version is 5.5.13.4, while in CVD descprition it is stated that issue is in itext 7.1.17, and fixed in itext 7.1.18 , which makes no sense given completely different versions on itextpdf package.

Replying to this part of your comment there

We're not in a position to judge whether iText 5

We are not, but this is not iText package, but itextpdf package, which is completely different package with different versioning (And with some of own vulnerabilities reported to its previous versions), and doing different thing (iText is for parsing of PDF content, while itextpdf is for creating PDFs).

[aikebah]

Regarding your

Replying to this part of your comment there

We're not in a position to judge whether iText 5

We are not, but this is not iText package, but itextpdf package, which is completely different package with different versioning (And with some of own vulnerabilities reported to its previous versions), and doing different thing (iText is for parsing of PDF content, while itextpdf is for creating PDFs).

That's simply not true, the itextpdf artifact is an EOL remnant of the Java 5 era compatible iText 5, but clearly advertises that users should upgrade to current iText which is its replacement. As clearly stated in their own readme on github:

We HIGHLY recommend customers use iText 7 for new projects, and to consider moving existing projects from iText 5 to iText 7 to benefit from the many improvements

[SergeS]

Right, and also on same readme page it is stated, that there are security fixes applied to itextpdf 5 , that is why the version is getting updated with different values.

From what I've seen on CVD description and how the itextpdf works, I think it is still false positive for itextpdf part of itext (And neither the code, neither the logic is present on itextpdf)

I mean, I understand that we should update to iText 7 here. That is compeltely different story

[aikebah]

Which is why the right way to deal with these assumed FPs is to contact NVD about it so that they can (if they agree) adjust the applicable version ranges to something that excludes non-vulnerable ranges of lower major versions.

DependencyCheck is simply correctly reporting that "according to the vulnerability data of the NVD" any version of itext lower than 7.2.2 is vulnerable to CVE-2022-24196

From the textual description it appears as if also a minimum version (a from/to range for 7.1.7 up to excluding 7.2.2) should be applied, but for unknown reasons NVD has only registered the 'up to excluding' with no lower bound.