[FP]: keycloak-osgi-adapter for CVE-2023-6563

[githubuserVenkat]

Package URl

pkg:maven/org.keycloak/[email protected]

CPE

cpe:2.3:a:keycloak:keycloak:18.0.2:::::::, cpe:2.3:a:redhat:keycloak:18.0.2:::::::

CVE

CVE-2023-6563

ODC Integration

None

ODC Version

10.0.3

Description

actual vulnerable component is keycloak version before 21.0.0, however OWASP is considering keycloak-osgi-adapter-18.0.2.jar as keycloak jar and version matches to vulnerable version 21.0

Note currently used keycloak version is 22.0.5

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.keycloak</groupId>
   <artifactId>keycloak-osgi-adapter</artifactId>
   <version>18.0.2</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6909
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak-osgi-adapter@.*$</packageUrl>
   <cpe>cpe:/a:keycloak:keycloak</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10472205438

[aikebah]

OSGI adapter library is an EOL-ed abandoned part of the Keycloak project and as such is properly mapped to the CPE of keycloak at NVD.

This project does not manage attribution of CVEs to specific sublibraries of a project.

The library was removed from the Keycloak codebase by the removal of the Fuse 6&7 adapters at keycloak/keycloak#11740