Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FP]: org.json CVE-2022-45688 reported for version 20230227 while reporting a fix in version 20230227 #5693

Closed
michalszelagsonos opened this issue May 3, 2023 · 7 comments
Closed

[FP]: org.json CVE-2022-45688 reported for version 20230227 while reporting a fix in version 20230227 #5693

michalszelagsonos opened this issue May 3, 2023 · 7 comments
Labels
duplicate FP Report maven changes to the maven plugin

Comments

@michalszelagsonos
Copy link

michalszelagsonos commented May 3, 2023
edited
Loading

Package URl

pkg:maven/org.json/json@20230227

CPE

cpe:2.3:a:hutool:hutool:5.8.10:::::::*

CVE

CVE-2022-45688

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

8.2.1

Description

The CVE was detected for org.json version 20230227 which is a version that has a fix for the said CVE:
https://github.com/stleary/JSON-java/releases/tag/20230227

Even the HTML report says so, from the report:
cpe:2.3:a:json-java_project:json-java:::::::: versions up to (excluding) 20230227

This looks like a false positive. I also found this issue, which mentioned a misleading CPE in this report: #5401.
@github-actions
Copy link
Contributor

github-actions bot commented May 3, 2023

Error parsing package url: https://mvnrepository.com/artifact/org.json/json/20230227.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

@github-actions
Copy link
Contributor

github-actions bot commented May 3, 2023

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/4873319434

@github-actions
Copy link
Contributor

github-actions bot commented May 3, 2023

Error parsing package url: https://mvnrepository.com/artifact/org.json/json/20230227.

Error: Error: purl is missing the required "pkg" scheme component.

Please correct the package URL - consider copying the package url from the HTML report.

@github-actions
Copy link
Contributor

github-actions bot commented May 3, 2023

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/4873333789

@github-actions
Copy link
Contributor

github-actions bot commented May 3, 2023

Maven Coordinates

<dependency>
   <groupId>org.json</groupId>
   <artifactId>json</artifactId>
   <version>20230227</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5693
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
   <cpe>cpe:/a:hutool:hutool</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/4873354009

@github-actions github-actions bot added the maven changes to the maven plugin label May 3, 2023
@github-actions
Copy link
Contributor

github-actions bot commented May 3, 2023

Maven Coordinates

<dependency>
   <groupId>org.json</groupId>
   <artifactId>json</artifactId>
   <version>20230227</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5693
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
   <cpe>cpe:/a:hutool:hutool</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/4873385478

@aikebah
Copy link
Collaborator

aikebah commented May 3, 2023

Duplicate of #5545

@aikebah aikebah marked this as a duplicate of #5545 May 3, 2023
@dominik-stronk dominik-stronk mentioned this issue Aug 1, 2023
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 20, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
duplicate FP Report maven changes to the maven plugin
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aikebah @michalszelagsonos