False positive on org.eclipse.jetty.alpn

[joan38]

False positive on https://mvnrepository.com/artifact/org.eclipse.jetty.alpn/alpn-api

Identifiers

• cpe: cpe:/a:jetty:jetty:1.1.3.v20160715 Confidence:Low suppress
• maven: org.eclipse.jetty.alpn:alpn-api:1.1.3.v20160715 Confidence:Highest
• cpe: cpe:/a:eclipse:jetty:1.1.3.v20160715 Confidence:Low

See comment from the author:
http4s/blaze#235 (comment)

Workaround suppression:

   <suppress>
       <notes>False-positive: it's about the implementation not the api</notes>
       <cve>CVE-2017-14798</cve>
       <cpe>cpe:/a:eclipse:jetty</cpe>
   </suppress>

[joan38]

@jeremylong
I updated the workaround to something more specific.
Could you update the suppression? Because it's too much of a wildcard I think.

Thanks

[jeremylong]

@joan38 I actually don't think the suppression is too broad. It is very specific to the alpn-api which is not Jetty.

[joan38]

@jeremylong but should we add at least the CVE?

[jeremylong]

Suppressing the CVE will suppress this single entry. Suppressing by CPE will prevent future CVEs from being reported against alpn-api - which will reduce the number of FP in the output. If someone is using alpn-api in addition to, for instance, embedded jetty - the embedded version of jetty would still get flagged.

[joan38]

Great!
Should we close this now? Or we are waiting for the release?

[jeremylong]

I generally keep them open until the fix is released.

…

On Wed, Oct 24, 2018, 6:57 AM Joan Goyeau ***@***.***> wrote: Great! Should we close this now? Or we are waiting for the release? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1515 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA0qwnWcHW8vzNnTXu2QACbKeyL-gnEcks5uoEeRgaJpZM4XHrpG> .

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.