Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FP]: plexus-* packages got matched with CVE-2022-4244, CVE-2022-4245 #5973

Closed
SergeS opened this issue Oct 3, 2023 · 6 comments
Closed

[FP]: plexus-* packages got matched with CVE-2022-4244, CVE-2022-4245 #5973

SergeS opened this issue Oct 3, 2023 · 6 comments
Labels
FP Report maven changes to the maven plugin nvd

Comments

@SergeS
Copy link

SergeS commented Oct 3, 2023
edited
Loading

Package URl

pkg:maven/org.codehaus.plexus/[email protected]

CPE

cpe:2.3:a:codehaus-plexus_project:codehaus-plexus:2.0:::::::*

CVE

CVE-2022-4244

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

8.4.0

Description

There are multiple packages matching this CVE (Which is for plexus-utils package)

plexus-cipher-2.0.jar: CVE-2022-4245(4.3), CVE-2022-4244(7.5)
plexus-sec-dispatcher-2.0.jar: CVE-2022-4245(4.3), CVE-2022-4244(7.5)
plexus-classworlds-2.6.0.jar: CVE-2022-4245(4.3), CVE-2022-4244(7.5)
plexus-component-annotations-2.1.0.jar: CVE-2022-4245(4.3), CVE-2022-4244(7.5)
plexus-interpolation-1.26.jar: CVE-2022-4245(4.3), CVE-2022-4244(7.5)

All of this seems to be caused by different name for plexus-utils in RedHat linux.

EDIT: The CVE is matching versions for plexus-utils, and it was fixed as part of plexus-utils with specified version
@github-actions
Copy link
Contributor

github-actions bot commented Oct 3, 2023

Maven Coordinates

<dependency>
   <groupId>org.codehaus.plexus</groupId>
   <artifactId>plexus-cipher</artifactId>
   <version>2.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5973
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-cipher@.*$</packageUrl>
   <cpe>cpe:/a:codehaus-plexus_project:codehaus-plexus</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6391379126

@github-actions github-actions bot added the maven changes to the maven plugin label Oct 3, 2023
@github-actions
Copy link
Contributor

github-actions bot commented Oct 3, 2023

Maven Coordinates

<dependency>
   <groupId>org.codehaus.plexus</groupId>
   <artifactId>plexus-cipher</artifactId>
   <version>2.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5973
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-cipher@.*$</packageUrl>
   <cpe>cpe:/a:codehaus-plexus_project:codehaus-plexus</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6391454837

@marcelstoer
Copy link
Contributor

@SergeS Thanks!

@aikebah from what I understand the suppression rule generated by the bot wouldn't cut it. As described by @SergeS we'd likely need a suppression for each affected package or one with a wildcard package URL.

@aikebah aikebah added the nvd label Oct 4, 2023
@aikebah
Copy link
Collaborator

aikebah commented Oct 4, 2023
edited
Loading

think this one should be raised with the NVD. They have assigned a CPE codehaus_plexus_project:codehaus-plexus, where the plexus project in reality consists of multiple independently released products, so the individual libraries of codehaus-plexus project should receive individual CPEs

@lread lread mentioned this issue Oct 5, 2023
Closed
@SergeS
Copy link
Author

SergeS commented Oct 9, 2023

@aikebah
It seems that redhat has package named codehaus-plexus, that contains all the tools - depends on CVD trough. Here is the rule I used

    <suppress>
        <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-(cipher|classworlds|component-annotations|interpolation|sec-dispatcher)@.*$</packageUrl>
        <cve>CVE-2022-4244</cve>
        <cve>CVE-2022-4245</cve>
    </suppress>

I think we can replace cve with cpe on the bottom

@bradh bradh mentioned this issue Mar 3, 2024
Merged
9 tasks
Merged
@lread lread mentioned this issue Aug 19, 2024
Open
@aikebah
Copy link
Collaborator

aikebah commented Oct 10, 2024

NVD has updated the CPE on these to plexus-utils. These FPs are expected to disappear on the next update of the NVD data on a new scan.

@marcelstoer marcelstoer mentioned this issue Dec 8, 2024
Open
@aikebah aikebah closed this as completed Dec 8, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 8, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FP Report maven changes to the maven plugin nvd
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marcelstoer @SergeS @aikebah