[FP]: False positive findings in Dependency Checker for Product specific authenticator component

[ashu4]

Package URl

pkg:[email protected]

CPE

cpe:2.3:a:authenticator:authenticator:0.1.0:snapshot::::::

CVE

CVE-2024-45394

ODC Integration

{"label" => "Docker"}

ODC Version

7.1.0

Description

Hi Team,

We are getting following vulnerabilities (CVEs) in Dependency Checker Tool findings, although as per our analysis we consider them as false positive.
CVEs details and our justification for false positive for each CVE is mentioned below.
Kindly check and get it fixed in Dependency Checker tool. So these false positive does not appear in scan report.

CVE-2024-45394

Justification: This vulnerability is related to Authenticator, a browser extension tool that adds two-factor authentication (2FA) functionality directly into your web browser.
We do not include authenticator tool although scanner is falsely identifying.
We include some jar file named as authenticator and not the authenticator tool.
Hence considering this vulnerability as false positive.

[github-actions]

Error parsing package url: pkg:[email protected].

Error: Error: Invalid purl: type "[email protected]" contains an illegal character

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/13236472356

[aikebah]

Sounds like a proprietary library of your own (as your report does not have a valid packageURL as well as a SNAPSHOT version. Such FP's are to be expected by users due to how dependencycheck works and should be suppressed by yourself as documented - http://jeremylong.github.io/DependencyCheck/general/suppression.html