Comments (6)
Hello !
Thanks for your answer. The uploaded BOM doesn't contain any CPE information...
Here are the parts dealing to the two artifacts (jcalendar and mail) :
<components>
<component type="library" bom-ref="pkg:maven/com.toedter/[email protected]?type=jar">
<group>com.toedter</group>
<name>jcalendar</name>
<version>1.4</version>
<scope>required</scope>
<hashes>
<hash alg="MD5">0a0863943cf89741c7a0c2721027446d</hash>
<hash alg="SHA-1">180cf82b37b0c1324e7de33bd0114be7d86678cd</hash>
<hash alg="SHA-256">284fcfbb7938d5b85bb0f540c712fa042521a4c50f4a5d47da02ba19bff291eb</hash>
<hash alg="SHA-512">612a8bce9ad14474fdd163ab0f8e95e4b6f5318b405751c650143b4d18613de7e03355d022823a9971188fc90586b6c3a525730d58622816968a8fb97f7a6a26</hash>
<hash alg="SHA-384">17bb0d73a146352c95daee35656856d663d68bd25874edead4e1ebf3b206b7911501e0016941800d8b6e993cad342961</hash>
<hash alg="SHA3-384">650e79914b21a5c5bbe4da322e7985ffa386da1736fc24f1ff891402389c646790aca2e983811869abd2a35339372444</hash>
<hash alg="SHA3-256">0bb0129e2a8af16e05396a9821b315d3ceb1e056c442c3f17480be84f1d92899</hash>
<hash alg="SHA3-512">27c418c1433b9c668a49214390b957b49839832f118e6633e753b391177f5c2be06b30fd833c22fcf1eb6d3bcb284f7442bb3f3460de0c5cf8bd5c6968f13c4e</hash>
</hashes>
<licenses/>
<purl>pkg:maven/com.toedter/[email protected]?type=jar</purl>
</component>
<component type="library" bom-ref="pkg:maven/javax.mail/[email protected]?type=jar">
<group>javax.mail</group>
<name>mail</name>
<version>1.4.7</version>
<scope>required</scope>
<hashes>
<hash alg="MD5">77f53ff0c78ba43c4812ecc9f53e20f8</hash>
<hash alg="SHA-1">9add058589d5d85adeb625859bf2c5eeaaedf12d</hash>
<hash alg="SHA-256">78c33b4f7c7b60f4b680f2d2405b1f063d71929cf1a4fbc328888379f365fcfb</hash>
<hash alg="SHA-512">331d2ecda625f4ad8a2c2539b577e9906787e7ef08d47683f45dd6fff18e3b7601071f20970896210bd26498018aa570fe2ab4bfd7f7084068a234a809bbd481</hash>
<hash alg="SHA-384">9b2529ac136de86400b6eaa9eb887cdc3de3cd993131caf99ce808bc2ac208b01772018aa38d49ca0bd1bc962e08834a</hash>
<hash alg="SHA3-384">4c86276795145265031b3ea63c097106df20076151c8a3a682a7092d68d91f243697286e3f543e8a1ef1e46ed4bb157e</hash>
<hash alg="SHA3-256">eef5fbcc453d8f709bc49c5f3d4f02a7cd8437f62cab9eb6b5396713a2098973</hash>
<hash alg="SHA3-512">c28159ba68a18d7d57428fcd75a9b019b3e79e573debbeef2859ba522309b9362552c861063a5ab541175bfb0ae69c08e5fa237f3ed3b05160de46e4fd2d8132</hash>
</hashes>
<licenses/>
<purl>pkg:maven/javax.mail/[email protected]?type=jar</purl>
</component>
</components>
from dependency-track.
Okay, that's odd then.
In the "Audit Vulnerabilities" tab, what is it showing as the analyzer that found the vulnerabilities?
Do you have fuzzy CPE matching enabled?
from dependency-track.
Hello,
The two vulnerabilities are still displayed in the "audit vulnerabilities" tab.
Is there a cache to clean to the already-found vulnerabilities or to be sure that there is no longer false positive CVE found ?
Thanks for your help !
Estelle
from dependency-track.
Can you please share the BOM you're uploading? Really the only relevant parts of the BOM are the components you're getting false positives on.
Just to give an example, CPEs support wildcards (*
). If the BOM you're uploading uses CPEs like this:
cpe:2.3:a:*:mail:1.4.7:*:*:*:*:*:*:*
You will get matches with cpe:2.3:a:nextcloud:mail:*:*:*:*:*:*:*:* ( \|<1.11.8 )
, because *
matches nextcloud
, and 1.4.7
is smaller than 1.11.8
.
from dependency-track.
Hello !
Thanks for your response.
These vulnerabilities are found by the analyzer NVD.
But I think you're right: all the fuzzy CPE options are enabled in our configuration.
I am going to check if, when disabling these options, the two vulnerabilities disapear.
I keep you informed :)
Best regards,
Estelle
from dependency-track.
Related Issues (20)
- Create new access right VIEW_PROJECT to prevent dashboard access HOT 1
- Remove nuget pre-release packages from being returned.
- Exception taken importing a valid SBOM. Appears to be bom-ref related HOT 19
- API /api/v1/analysis - PUT call does not populate analisisDetail HOT 2
- Any plans on generating a Windows Docker Image? HOT 2
- Wrong Latest version reported by using github package URL HOT 5
- Uploading a BOM doesn't update the license of any existing components HOT 1
- Test mail is not sent HOT 2
- LDAP auth doesn't work for users with cyrillic names HOT 4
- OIDC login CORS error HOT 4
- Update to SPDX License List 3.23
- API Patch Project endpoint silently ignore purl value in object form HOT 6
- Cargo Component Info Not Displaying in Dependency Track HOT 1
- Ensure test coverage reports can be uploaded for PRs from forks HOT 1
- Return more comprehensible response in case of application already existing HOT 1
- Can't upload BOM from Python requests HOT 2
- ALIAS is not taking into account for RLSA and DLA (OSV source) HOT 5
- swagger.json reports wrong field name for /vex HOT 2
- Dependency Graph is not populated HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-track.