jersey-apache-client4-1.19.1.jar reporting a false positive on httpclient

23 views
Skip to first unread message

Satish Swargam

unread,
Jun 7, 2016, 3:07:47 PM6/7/16
to Dependency Check
Two issues were reported on the use of Jersey client.

Both issues relate to the use of  Apache HttpComponents HttpClient before v4.3.5.
The dependency was resolved to use latest Apache HttpComponents HttpClient v4.5.2 and the issue is still being flagged in the OWASP dependency check report.

Thanks.


Jeremy Long

unread,
Jun 18, 2016, 7:14:52 AM6/18/16
to Dependency Check
Thanks for reporting this. I have committed a change to the current snapshot to suppress this false positive. In the meantime you could use a suppression file with the following:


    <suppress>
        <notes><![CDATA[
        Supresses false positives on jersey-apache-client4
        ]]></notes>
        <gav regex="true">com\.sun\.jersey\.contribs:jersey-apache-client.*</gav>
        <cpe>cpe:/a:apache:httpclient</cpe>
    </suppress>

--Jeremy

Satish Swargam

unread,
Jun 25, 2016, 5:11:49 PM6/25/16
to Dependency Check
Thanks, Jeremy.
Reply all
Reply to author
Forward
0 new messages