[FP]: Quarkus postgresql extension for CVE-2015-0244 #6879
Comments
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10243313625 |
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10243349218 |
|
Maven Coordinates <dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-jdbc-postgresql</artifactId>
<version>3.2.7.Final</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6879
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus-jdbc-postgresql@.*$</packageUrl>
<cpe>cpe:/a:postgresql:postgresql</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10243364212 |
|
@edward9944 - refer to #6817 - you run an outdated and no longer to be used DependencyCheck version. Your FP does not appear to be reproducible |
|
@aikebah we have tried with dependency-check version: 10.0.3 still we are getting the CVE in OWASP report. |
|
Maven Coordinates <dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-jdbc-postgresql</artifactId>
<version>3.2.7.Final</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6879
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus-jdbc-postgresql@.*$</packageUrl>
<cpe>cpe:/a:postgresql:postgresql</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10299619013 |
|
@edward9944 Can you check whether your jar-file is properly identical to the artifact as hosted on maven central: Should get joined up with other quarkus libraries and not be linked to postgresql If your file is not binary equivalent that might explain an improper matching to postgresql due to fuzzy textmatching (typically in those cases pkgurl would not be in the report as the CLI was unable to link it to a maven G/A/V; similar might happen if you disable the CentralAnalyzer (and don't configure a NexusAnalyzer to replace it)) A CLI run on the jar-files obtained from Maven Central is expected to bundle the quarkus-jdbc-postgresql library with other quarkus libraries of the same version in the report as 'related dependency' |
|
I have crosschecked the MD5 value between maven certral repository and our own repository and it looks same. |
Package URl
pkg:maven/io.quarkus/[email protected]
CPE
cpe:2.3:a:postgresql:postgresql:3.2.7:::::::, cpe:2.3:a:quarkus:quarkus:3.2.7:::::::
CVE
CVE-2015-0244
ODC Integration
None
ODC Version
10.0.3
Description
Actual postgresql vulnerable version is less than 9.4.1 for this CVE CVE-2015-0244 however Quarkus uses the postgresql version 42.6.0.
Quarkus have packed postgresql extension jar version 3.2.7, so OWASP consider this as actual postgresql and marking it as vulnerable.
Note : Package URL was missing in the OWASP scan result, since it is mandatory to provide a package URL to create a issue in GitHub so we provided it manualy.
The text was updated successfully, but these errors were encountered: