-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: CVE-2022-41852 has been rejected #5092
Comments
Maven Coordinates <dependency>
<groupId>commons-jxpath</groupId>
<artifactId>commons-jxpath</artifactId>
<version>1.3</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #5092
]]></notes>
<packageUrl regex="true">^pkg:maven/commons-jxpath/commons-jxpath@.*$</packageUrl>
<cpe>cpe:/a:apache:commons_jxpath</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/3547275815 |
Maven Coordinates <dependency>
<groupId>commons-jxpath</groupId>
<artifactId>commons-jxpath</artifactId>
<version>1.3</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #5092
]]></notes>
<packageUrl regex="true">^pkg:maven/commons-jxpath/commons-jxpath@.*$</packageUrl>
<cpe>cpe:/a:apache:commons_jxpath</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/3547368448 |
Something you should take up with the vulnerability source - Sonatype OSSIndex. As their researchers link package-URLs to vulnerabilities their researchers are either not aware of it, or they disagree with the analysis that it's not a security vulnerability. Best course forward would be opening a ticket for it at https://github.com/OSSIndex/vulns (which is known to sometimes take a while to get responses). Also note the discussions on the related github issue: there is a big security risk in the library when you use it to process XPaths (partly) based on untrusted inputs |
Maven Coordinates <dependency>
<groupId>commons-jxpath</groupId>
<artifactId>commons-jxpath</artifactId>
<version>1.3</version>
</dependency> Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #5092
]]></notes>
<packageUrl regex="true">^pkg:maven/commons-jxpath/commons-jxpath@.*$</packageUrl>
<cpe>cpe:/a:apache:commons_jxpath</cpe>
</suppress> Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/3563743697 |
@aikebah Thanks for your advice ! To go further : apache/commons-jxpath#25 & apache/commons-jxpath#26 In particular case of Eureka Client, an issue has been opened : Netflix/eureka#1471 |
Package URl
pkg:maven/commons-jxpath/commons-jxpath@1.3
CPE
cpe:2.3:a:apache:commons_jxpath:1.3:::::::*
CVE
CVE-2022-41852
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
7.3.2
Description
CVE-2022-41852 has been rejected
Present in
spring-cloud-netflix-eureka-client
v3.1.4 ( cf. Netflix/eureka#1471 )The text was updated successfully, but these errors were encountered: