You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After #7026 (comment) was resolved, the package ftplet-api is now matched with apache mina. Interestingly, ftplet-core has a dependency to apache mina, but in another (patched) version: 2.1.6 which means I get the following false positive:
As FTPServer is an independently managed subproject under the umbrella of the Apache MINA project it would indeed get a CPE separate from the MINA product assigned should a CVE get reported for it in the future, but the suppression suggested by the bot should not be used as it is very likely that NVD would opt for product mina-ftpserver (after the github repo) and the CPE suppression quoted would suppress it due to comparing using case-insensitive prefix matching.
<suppressbase="true">
<notes><![CDATA[ FP per issue #7043]]></notes>
<packageUrlregex="true">^pkg:maven/org\.apache\.ftpserver/ftplet-api@.*$</packageUrl>
<cperegex="true">^cpe:/a:apache:mina:.*</cpe>
</suppress>
Should do the right suppression IIRC. I'll doublecheck that for proper working and will add it manually to the hosted suppressions (and update this comment should I discover that the suppression rule should be further adapted to be correct).
Package URl
pkg:maven/org.apache.ftpserver/[email protected]
CPE
cpe:2.3:a:apache:mina:1.2.0:::::::* (Confidence:Low)
CVE
CVE-2021-41973
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
10.0.4
Description
After #7026 (comment) was resolved, the package ftplet-api is now matched with apache mina. Interestingly, ftplet-core has a dependency to apache mina, but in another (patched) version: 2.1.6 which means I get the following false positive:
ftplet-api-1.2.0.jar (pkg:maven/org.apache.ftpserver/[email protected], cpe:2.3:a:apache:mina:1.2.0:::::::*) : CVE-2021-41973
The text was updated successfully, but these errors were encountered: