Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FP]: commons-configuration 1.10 jar flagged for 2 CVEs only applicable to version 2.x #6704

Closed
kwwall opened this issue May 30, 2024 · 3 comments
Closed

[FP]: commons-configuration 1.10 jar flagged for 2 CVEs only applicable to version 2.x #6704

kwwall opened this issue May 30, 2024 · 3 comments
Labels
duplicate FP Report maven changes to the maven plugin ossindex Label for issues that relate to the OSSIndex API won't fix

Comments

@kwwall
Copy link

kwwall commented May 30, 2024

Package URl

pkg:maven/commons-configuration/[email protected]

CPE

cpe:2.3:a:apache:commons_configuration:1.10:::::::*

CVE

CVE-2024-29131

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

9.2.0

Description

The other CVE that was flagged CVE-2024-29133. All indications are that these 2 CVEs only apply to versions "from 2.0 before 2.10.1".

However, it seems plausible that this FP is caused by misinformation in the Sonatype link https://ossindex.sonatype.org/component/pkg:maven/commons-configuration/[email protected]?utm_source=dependency-check&utm_medium=integration&utm_content=9.2.0 which the pkg: URI refers to as it notes "Version 1.10" at the tope of the page.

This result was produced when run against the ESAPI 2.5.4.0 release.
@github-actions GitHub Actions
Copy link
Contributor

Maven Coordinates

<dependency>
   <groupId>commons-configuration</groupId>
   <artifactId>commons-configuration</artifactId>
   <version>1.10</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6704
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/commons-configuration/commons-configuration@.*$</packageUrl>
   <cpe>cpe:/a:apache:commons_configuration</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9310704981

@github-actions github-actions bot added the maven changes to the maven plugin label May 30, 2024
@aikebah aikebah added duplicate won't fix ossindex Label for issues that relate to the OSSIndex API labels Jun 1, 2024
@aikebah
Copy link
Collaborator

aikebah commented Jun 1, 2024

If you search the issues you'll find multiple duplicates. We just report that OSSINDEX states that version 1.10 is subject to the same CVEs, so you'd have to take it up with Sonatype OSSINDEX.

@kwwall
Copy link
Author

kwwall commented Jun 8, 2024

@jeremylong - Thanks for closing this. About a week ago I confirmed that these CVEs were legit in the Apache Commons Configuration 1.x releases as well, and I notified the Apache security team. They said that Sonatype had never informed them. I just forgot to tie up this loose end. Fortunately, these are not exploitable in ESAPI, so I'm going to leave the suppression rules that I added in our last release intact, but maybe change the comment.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
duplicate FP Report maven changes to the maven plugin ossindex Label for issues that relate to the OSSIndex API won't fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jeremylong @kwwall @aikebah