[FP]: False Positive for msal4j-persistence-extension-1.3.0.jar against CVE-2024-35255

[jubui]

Package URl

pkg:maven/com.microsoft.azure/[email protected]

CPE

cpe:2.3:a:microsoft:authentication_library:1.3.0:*:*:*:*:*:*:*

CVE

CVE-2024-35255

ODC Integration

None

ODC Version

10.0.3

Description

The persistence-extension library is part of the msal4j project and as such, it doesn't make sense to compare the persistence-extension version (in this case v1.3.0) against the msal4j version number (in this case versions <1.15.1 are affected).

Furthermore, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255 indicates that the java ManagedIdentityApplication class is vulnerable, which is in the msal4j library, not the msal4j-persistence-extension submodule.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/12241787047

[chadlwilson]

Can you please edit the description to trigger the bot to run again? (I dont have permissions to nudge it and it seems it had a transient error with Maven Central)

This seems a false positive as the extension is versioned independently of the main msal4j artifact.

[github-actions]

Maven Coordinates

<dependency>
   <groupId>com.microsoft.azure</groupId>
   <artifactId>msal4j-persistence-extension</artifactId>
   <version>1.3.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7238
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j-persistence-extension@.*$</packageUrl>
   <cpe>cpe:/a:microsoft:authentication_library</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/12256383851

[chadlwilson]

Approved

[github-actions]

Suppress rule has been added to the generatedSuppressions branch.