[FP]: False positive findings in Dependency Checker for jackson-core component #7385
Comments
|
Maven Coordinates <dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>2.14.2</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #7385
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson-core@.*$</packageUrl>
<cpe>cpe:/a:fasterxml:jackson-modules-java8</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/13235156712 |
|
Not reproducible with an up-to-date CLI - update your DependencyCheck CLI version, it's outdated |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Package URl
pkg:maven/com.fasterxml.jackson.core/[email protected]
CPE
cpe:2.3:a:fasterxml:jackson-modules-java8:2.14.2:::::::* cpe:2.3:a:json-java_project:json-java:2.14.2:::::::*
CVE
CVE-2023-5072
ODC Integration
{"label" => "Docker"}
ODC Version
7.1.0
Description
Hi Team,
We are getting following vulnerabilities (CVEs) in Dependency Checker Tool findings, although as per our analysis we consider them as false positive.
CVEs details and our justification for false positive for each CVE is mentioned below.
Kindly check and get it fixed in Dependency Checker tool. So these false positive does not appear in scan report.
CVE-2023-5072
Dependency Checker tool is scanning below mentioned path
File Path: jackson-core.jar
Justification: This vulnerability is specific to json-java library.
Tool is reporting this vulnerability on jackson-core library. Although this vulnerability is specific to json-java library.
json-java is also not a dependent libary of jackson-core.
Hence this vulnerability is false positive.
The text was updated successfully, but these errors were encountered: