Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FP]: junit jupiter being falsely matched as CPE 1e:platform #6743

Closed
chadlwilson opened this issue Jun 28, 2024 · 4 comments
Closed

[FP]: junit jupiter being falsely matched as CPE 1e:platform #6743

chadlwilson opened this issue Jun 28, 2024 · 4 comments
Labels
FP Report maven changes to the maven plugin

Comments

@chadlwilson
Copy link
Contributor

Package URl

pkg:maven/org.junit.jupiter/[email protected]

CPE

cpe:2.3:a:1e:platform:5.10.3:*:*:*:*:*:*:*

CVE

CVE-2023-45161, CVE-2023-45163, CVE-2023-5964

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

9.2.0

Description

1E Platform is something completely different: https://www.1e.com/platform/

There are actually three jars that are being detected as FPs now:

pkg:maven/org.junit.jupiter/[email protected]
pkg:maven/org.junit.platform/[email protected]
pkg:maven/org.junit.platform/[email protected]

The FPs weren't reporting with junit 5.10.2 which implies the version number is part of the heuristic for CPE matching here :-(

Could submit 3 different FPs for the automation, but not sure if that's the best way forward here?
@chadlwilson chadlwilson changed the title [FP]: junit jupiter being falsely matched as CPU 1e:platform [FP]: junit jupiter being falsely matched as CPE 1e:platform Jun 28, 2024
@github-actions GitHub Actions
Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>org.junit.jupiter</groupId>
   <artifactId>junit-jupiter-engine</artifactId>
   <version>5.10.3</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6743
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.junit\.jupiter/junit-jupiter-engine@.*$</packageUrl>
   <cpe>cpe:/a:1e:platform</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9707350278

@github-actions github-actions bot added the maven changes to the maven plugin label Jun 28, 2024
@github-actions GitHub Actions
Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>org.junit.jupiter</groupId>
   <artifactId>junit-jupiter-engine</artifactId>
   <version>5.10.3</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6743
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.junit\.jupiter/junit-jupiter-engine@.*$</packageUrl>
   <cpe>cpe:/a:1e:platform</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9707356505

@chadlwilson
Copy link
Contributor Author

Perhaps this would be better here.

  <suppress>
    <notes><![CDATA[
    FP per issue #6743
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.junit\..*/junit-.*@.*$</packageUrl>
    <cpe>cpe:/a:1e:platform</cpe>
  </suppress>

chadlwilson added a commit to chadlwilson/DependencyCheck that referenced this issue Jun 28, 2024
@chadlwilson
fix(fp): FP per issue jeremylong#6743
ef7cafe
@chadlwilson chadlwilson mentioned this issue Jun 28, 2024
Merged
aikebah added a commit that referenced this issue Jun 29, 2024
@aikebah
fix(fp): FP per issue #6743 (#6744)
2458f15
@aikebah
Copy link
Collaborator

aikebah commented Jun 29, 2024

Resolved via the PR, followed by FP publishing pipeline of another FP

@aikebah aikebah closed this as completed Jun 29, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FP Report maven changes to the maven plugin
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aikebah @chadlwilson