Giter VIP home page Giter VIP logo

Comments (6)

stl543 avatar stl543 commented on July 2, 2024 1

Hello !
Thanks for your answer. The uploaded BOM doesn't contain any CPE information...
Here are the parts dealing to the two artifacts (jcalendar and mail) :

<components>
  <component type="library" bom-ref="pkg:maven/com.toedter/[email protected]?type=jar">
    <group>com.toedter</group>
    <name>jcalendar</name>
    <version>1.4</version>
    <scope>required</scope>
    <hashes>
      <hash alg="MD5">0a0863943cf89741c7a0c2721027446d</hash>
      <hash alg="SHA-1">180cf82b37b0c1324e7de33bd0114be7d86678cd</hash>
      <hash alg="SHA-256">284fcfbb7938d5b85bb0f540c712fa042521a4c50f4a5d47da02ba19bff291eb</hash>
      <hash alg="SHA-512">612a8bce9ad14474fdd163ab0f8e95e4b6f5318b405751c650143b4d18613de7e03355d022823a9971188fc90586b6c3a525730d58622816968a8fb97f7a6a26</hash>
      <hash alg="SHA-384">17bb0d73a146352c95daee35656856d663d68bd25874edead4e1ebf3b206b7911501e0016941800d8b6e993cad342961</hash>
      <hash alg="SHA3-384">650e79914b21a5c5bbe4da322e7985ffa386da1736fc24f1ff891402389c646790aca2e983811869abd2a35339372444</hash>
      <hash alg="SHA3-256">0bb0129e2a8af16e05396a9821b315d3ceb1e056c442c3f17480be84f1d92899</hash>
      <hash alg="SHA3-512">27c418c1433b9c668a49214390b957b49839832f118e6633e753b391177f5c2be06b30fd833c22fcf1eb6d3bcb284f7442bb3f3460de0c5cf8bd5c6968f13c4e</hash>
    </hashes>
    <licenses/>
    <purl>pkg:maven/com.toedter/[email protected]?type=jar</purl>
  </component>
  <component type="library" bom-ref="pkg:maven/javax.mail/[email protected]?type=jar">
    <group>javax.mail</group>
    <name>mail</name>
    <version>1.4.7</version>
    <scope>required</scope>
    <hashes>
      <hash alg="MD5">77f53ff0c78ba43c4812ecc9f53e20f8</hash>
      <hash alg="SHA-1">9add058589d5d85adeb625859bf2c5eeaaedf12d</hash>
      <hash alg="SHA-256">78c33b4f7c7b60f4b680f2d2405b1f063d71929cf1a4fbc328888379f365fcfb</hash>
      <hash alg="SHA-512">331d2ecda625f4ad8a2c2539b577e9906787e7ef08d47683f45dd6fff18e3b7601071f20970896210bd26498018aa570fe2ab4bfd7f7084068a234a809bbd481</hash>
      <hash alg="SHA-384">9b2529ac136de86400b6eaa9eb887cdc3de3cd993131caf99ce808bc2ac208b01772018aa38d49ca0bd1bc962e08834a</hash>
      <hash alg="SHA3-384">4c86276795145265031b3ea63c097106df20076151c8a3a682a7092d68d91f243697286e3f543e8a1ef1e46ed4bb157e</hash>
      <hash alg="SHA3-256">eef5fbcc453d8f709bc49c5f3d4f02a7cd8437f62cab9eb6b5396713a2098973</hash>
      <hash alg="SHA3-512">c28159ba68a18d7d57428fcd75a9b019b3e79e573debbeef2859ba522309b9362552c861063a5ab541175bfb0ae69c08e5fa237f3ed3b05160de46e4fd2d8132</hash>
    </hashes>
    <licenses/>
    <purl>pkg:maven/javax.mail/[email protected]?type=jar</purl>
  </component>
</components>

from dependency-track.

nscuro avatar nscuro commented on July 2, 2024 1

Okay, that's odd then.

In the "Audit Vulnerabilities" tab, what is it showing as the analyzer that found the vulnerabilities?

Do you have fuzzy CPE matching enabled?
image

from dependency-track.

stl543 avatar stl543 commented on July 2, 2024 1

Hello,
The two vulnerabilities are still displayed in the "audit vulnerabilities" tab.
Is there a cache to clean to the already-found vulnerabilities or to be sure that there is no longer false positive CVE found ?
Thanks for your help !
Estelle

from dependency-track.

nscuro avatar nscuro commented on July 2, 2024

Can you please share the BOM you're uploading? Really the only relevant parts of the BOM are the components you're getting false positives on.

Just to give an example, CPEs support wildcards (*). If the BOM you're uploading uses CPEs like this:

cpe:2.3:a:*:mail:1.4.7:*:*:*:*:*:*:*

You will get matches with cpe:2.3:a:nextcloud:mail:*:*:*:*:*:*:*:* ( \|<1.11.8 ), because * matches nextcloud, and 1.4.7 is smaller than 1.11.8.

from dependency-track.

stl543 avatar stl543 commented on July 2, 2024

Hello !
Thanks for your response.
These vulnerabilities are found by the analyzer NVD.
But I think you're right: all the fuzzy CPE options are enabled in our configuration.
I am going to check if, when disabling these options, the two vulnerabilities disapear.
I keep you informed :)

Best regards,
Estelle

from dependency-track.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.