Is lang-tag-1.5.jar a false positive
39 views
Skip to first unread message
Kaj Hejer
Jan 7, 2021, 5:59:58 AM1/7/21
to dependen...@googlegroups.com
Hi
Is lang-tag-1.5.jar a false positive?
We get "lang-tag-1.5.jar (pkg:maven/com.nimbusds/lang-tag@1.5, cpe:2.3:a:tag_project:tag:1.5:*:*:*:*:*:*:*) : CVE-2020-29242, CVE-2020-29243, CVE-2020-29244, CVE-2020-29245" with dependency-check-maven 6.0.4.
The CVEs referes to dhowden tag which seems to be someting other than com.nimbusds lang-tag or am I wrong?
Thanks!
-Kaj :)
Is lang-tag-1.5.jar a false positive?
We get "lang-tag-1.5.jar (pkg:maven/com.nimbusds/lang-tag@1.5, cpe:2.3:a:tag_project:tag:1.5:*:*:*:*:*:*:*) : CVE-2020-29242, CVE-2020-29243, CVE-2020-29244, CVE-2020-29245" with dependency-check-maven 6.0.4.
The CVEs referes to dhowden tag which seems to be someting other than com.nimbusds lang-tag or am I wrong?
Thanks!
-Kaj :)
Hans Aikema
Jan 7, 2021, 7:00:48 AM1/7/21
to Kaj Hejer, dependen...@googlegroups.com
Hi Kaj,
Yes it is, we ran into the same FP for other projects containing 'tag' in their name (at least some JSF taglibs). Wanted to open up a FP issue for that, but didn't get around to doing it yet.
It definitely is an FP for your library as well.
It's likely a new CPE due to the first registered CVEs for project_tag, so now we see FPs surfacing for other projects that don't have a vulnerability (and therefor no presence in the CPE caches) and now get matched to project_tag because it is the 'best match' for the known CPEs
Kind regards,
Hans
> On 7 Jan 2021, at 11:59, Kaj Hejer <kaj...@gmail.com> wrote:
>
> Hi
> --
> You received this message because you are subscribed to the Google Groups "Dependency Check" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/7E3AE44B-5B57-4DBD-B71A-D13F7A5494CB%40gmail.com.
Yes it is, we ran into the same FP for other projects containing 'tag' in their name (at least some JSF taglibs). Wanted to open up a FP issue for that, but didn't get around to doing it yet.
It definitely is an FP for your library as well.
It's likely a new CPE due to the first registered CVEs for project_tag, so now we see FPs surfacing for other projects that don't have a vulnerability (and therefor no presence in the CPE caches) and now get matched to project_tag because it is the 'best match' for the known CPEs
Kind regards,
Hans
> On 7 Jan 2021, at 11:59, Kaj Hejer <kaj...@gmail.com> wrote:
>
> Hi
> You received this message because you are subscribed to the Google Groups "Dependency Check" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/7E3AE44B-5B57-4DBD-B71A-D13F7A5494CB%40gmail.com.
Kaj Hejer
Jan 7, 2021, 8:18:07 AM1/7/21
to Hans Aikema, dependen...@googlegroups.com
Thanks!
I created an issue on this, please https://github.com/jeremylong/DependencyCheck/issues/3061
-Kaj :)
I created an issue on this, please https://github.com/jeremylong/DependencyCheck/issues/3061
-Kaj :)
Reply all
Reply to author
Forward
0 new messages