[FP]: Quarkus postgresql extension for CVE-2015-0244

[edward9944]

Package URl

pkg:maven/io.quarkus/[email protected]

CPE

cpe:2.3:a:postgresql:postgresql:3.2.7:::::::, cpe:2.3:a:quarkus:quarkus:3.2.7:::::::

CVE

CVE-2015-0244

ODC Integration

None

ODC Version

10.0.3

Description

Actual postgresql vulnerable version is less than 9.4.1 for this CVE CVE-2015-0244 however Quarkus uses the postgresql version 42.6.0.
Quarkus have packed postgresql extension jar version 3.2.7, so OWASP consider this as actual postgresql and marking it as vulnerable.

Note : Package URL was missing in the OWASP scan result, since it is mandatory to provide a package URL to create a issue in GitHub so we provided it manualy.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10243313625

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10243349218

[github-actions]

Maven Coordinates

<dependency>
   <groupId>io.quarkus</groupId>
   <artifactId>quarkus-jdbc-postgresql</artifactId>
   <version>3.2.7.Final</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6879
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus-jdbc-postgresql@.*$</packageUrl>
   <cpe>cpe:/a:postgresql:postgresql</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10243364212

[aikebah]

@edward9944 - refer to #6817 - you run an outdated and no longer to be used DependencyCheck version. Your FP does not appear to be reproducible

[edward9944]

@aikebah we have tried with dependency-check version: 10.0.3 still we are getting the CVE in OWASP report.

[github-actions]

Maven Coordinates

<dependency>
   <groupId>io.quarkus</groupId>
   <artifactId>quarkus-jdbc-postgresql</artifactId>
   <version>3.2.7.Final</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6879
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus-jdbc-postgresql@.*$</packageUrl>
   <cpe>cpe:/a:postgresql:postgresql</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10299619013

[aikebah]

@edward9944 Can you check whether your jar-file is properly identical to the artifact as hosted on maven central:

quarkus-jdbc-postgresql-3.2.7.Final.jar
File Path: /github/workspace/fp-project/target/dependency/quarkus-jdbc-postgresql-3.2.7.Final.jar
MD5: 63f6d3dea0a1cffbf8caa6ba51b6598f
SHA1: 518c11c2dc504c406dbb89d8dda75febf10cd279
SHA256: 6139116c314df62a6e4c83c396b70c5bf932cea93c2c0865eb12de42d4ff84d6

Should get joined up with other quarkus libraries and not be linked to postgresql

If your file is not binary equivalent that might explain an improper matching to postgresql due to fuzzy textmatching (typically in those cases pkgurl would not be in the report as the CLI was unable to link it to a maven G/A/V; similar might happen if you disable the CentralAnalyzer (and don't configure a NexusAnalyzer to replace it))

A CLI run on the jar-files obtained from Maven Central is expected to bundle the quarkus-jdbc-postgresql library with other quarkus libraries of the same version in the report as 'related dependency'

[edward9944]

I have crosschecked the MD5 value between maven certral repository and our own repository and it looks same.