[FP]: False positive findings in Dependency Checker of Java Component

[ashu4]

Package URl

pkg:Java8/1.8.0.421/1/fast/jdk1.8.0.421/jre/lib/jfr.jar

CPE

cpe:2.3:a:oracle:jrockit:1.8.0.421:::::::*

CVE

No response

ODC Integration

{"label" => "Docker"}

ODC Version

7.1.0

Description

Hi Team,

We are getting following vulnerabilities (CVEs) in Dependency Checker Tool findings, although as per our analysis we consider them as false positive.
CVEs details and our justification for false positive for each CVE is mentioned below.
Kindly check and get it fixed in Dependency Checker tool. So these false positive does not appear in scan report.

<CVE-2009-1006,CVE-2011-3545,CVE-2013-2380,CVE-2013-5782,CVE-2013-5830,CVE-2011-3556,CVE-2013-5802,CVE-2011-3551>
Dependency Checker tool is scanning below mentioned path
File Path:Java8/1.8.0.421/1/fast/jdk1.8.0.421/jre/lib/jfr.jar

Justification: These vulnerabilities are related to Oracle JAVA 7, JAVA 6, JAVA 5 and earlier and Oracle Fusion Middleware and Java Jrockit. We have JAVA 8 only and also does not include Oracle Fusion Middleware and Java Jrockit.
Hence these vulnerabilities are false positive.

[aikebah]

Seems to be not reproducible with an up-to-date CLI, but due to Oracle licensing its JVM I can only validate with openJDK builds - update your CLI and if still there report back with full evidence list of the library