Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#3868 Suppress log4j-api & log4j-to-slf4j false positive #3869

Merged
merged 2 commits into from
Dec 14, 2021
Merged

#3868 Suppress log4j-api & log4j-to-slf4j false positive #3869

merged 2 commits into from
Dec 14, 2021

Conversation

nhumblot
Copy link
Collaborator

@nhumblot nhumblot commented Dec 13, 2021
edited
Loading

Fixes Issue

Description of Change

Fix #3868

log4j-api & log4j-to-slf4j are identified as vulnerable to CVE-2021-44228.

More explanations on why these two dependencies should be declared as false positive.

Have test cases been added to cover the new functionality?

No automated test but a manual verification of these FPs not being raised on a compiled snapshot has been performed.

@boring-cyborg boring-cyborg bot added the core changes to core label Dec 13, 2021
@jeremylong jeremylong merged commit d4cc8a4 into jeremylong:main Dec 14, 2021
@jeremylong jeremylong added this to the 6.5.1 milestone Dec 14, 2021
@nhumblot nhumblot deleted the 3868-fp-log4japi branch December 14, 2021 19:35
@fbiehl fbiehl mentioned this pull request Dec 17, 2021
Closed
@bjansen
Copy link
Contributor

bjansen commented Dec 20, 2021

What if someday someone finds a CVE in log4j-api, won't it be suppressed because the CPE will also be cpe:/a:apache:log4j and lead to a false negative?

@whimet
Copy link

whimet commented Dec 20, 2021
edited
Loading

With version 6.5.1, it still reports CVE-2021-45046 and CVE-2021-45105 agaist log4j-api, which are false positives as well. For example: log4j-api-2.13.3.jar (pkg:maven/org.apache.logging.log4j/[email protected], cpe:2.3:a:apache:log4j:2.13.3:*:*:*:*:*:*:*) : CVE-2021-45046, CVE-2021-45105

@bergerst bergerst mentioned this pull request Dec 21, 2021
Closed
@jeremylong jeremylong mentioned this pull request Dec 21, 2021
Merged
@jeremylong
Copy link
Owner

@bjansen What i ended up doing was suppressing by CVE - not the entire log4j CPE. Which is why @whimet is reporting that the two newer CVEs are still being reported. I just updated the suppression file: #3910

@bjansen
Copy link
Contributor

bjansen commented Dec 21, 2021

OK thanks for the clarification.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jeremylong jeremylong jeremylong approved these changes

Assignees
No one assigned
Labels
core changes to core
Projects
None yet
Milestone
6.5.1
Development

Successfully merging this pull request may close these issues.

False Positive on log4j-api-2.14.1.jar
4 participants
@nhumblot @bjansen @whimet @jeremylong