[FP]: Many FPs on mysql-connector-j that are for the mysql server

[chadlwilson]

Package URl

pkg:maven/com.mysql/[email protected]

CPE

cpe:2.3:a:mysql:mysql:9.0.0:*:*:*:*:*:*:*

CVE

CVE-2024-21196, CVE-2024-21230, CVE-2024-21238 etc etc

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

10.0.4

Description

Historically individual CVE suppressions were used, however the mysql connectors have their own CPEs as below so this is no longer appropriate. Will submit PRs to correct this and reduce ongoing maintenance headache.

cpe:2.3:a:oracle:mysql_connector\/j:9.0.0:*:*:*:*:*:*:* 
cpe:2.3:a:oracle:mysql_connectorsj:9.0.0:*:*:*:*:*:*:* 

https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/dependencycheck-base-suppression.xml#L3210-L3818

[github-actions]

Maven Coordinates

<dependency>
   <groupId>com.mysql</groupId>
   <artifactId>mysql-connector-j</artifactId>
   <version>9.0.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7057
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.mysql/mysql-connector-j@.*$</packageUrl>
   <cpe>cpe:/a:mysql:mysql</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11377631854

[chadlwilson]

Fixed in #7058 (still to be published on the hosted suppressions at time of writing)

[aikebah]

published now with the help of another FP Report workflow

[chadlwilson]

Cool, will submit cleanup PR to master shortly.