[FP]: dnsjava CVE-2024-25638 #6984
Comments
|
Maven Coordinates <dependency>
<groupId>dnsjava</groupId>
<artifactId>dnsjava</artifactId>
<version>2.1.7</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6984
]]></notes>
<packageUrl regex="true">^pkg:maven/dnsjava/dnsjava@.*$</packageUrl>
<cpe>cpe:/a:undefined:undefined</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11008424945 |
aikebah
added
won't fix
ossindex
|
GHSA listed is not a source for DependencyCheck. NVD is, but as you indicate still needs to attribute the versions. OSSINDEX is also a source and in there your exact version of the library is flagged as affected by the CVE. Note that typically OSSINDEX does not take the CVE report at face value, but has their own team that decides on the applicability and may even decide to not accept a software change as fixing the reported vulnerability. ODC correctly reports that one of the consulted resources (in this case OSSINDEX) is flagging the evaluated library as affected by the CVE. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Package URl
pkg:maven/dnsjava/[email protected]
CPE
null
CVE
CVE-2024-25638
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
10.0.3
Description
GHSA-cfxw-4h78-h7fw
https://nvd.nist.gov/vuln/detail/CVE-2024-25638#VulnChangeHistorySection
This vulnerability is still under analysis on the nvd website. In github, this vulnerability only affects version 3.5.0 of dnsjava. 2.1.7 shall be unaffected.
The text was updated successfully, but these errors were encountered: