Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive Report for CVE-2012-5785 in Axis2 Version 1.8.2 #6745

Closed
Jeld4 opened this issue Jun 28, 2024 · 3 comments
Closed

False Positive Report for CVE-2012-5785 in Axis2 Version 1.8.2 #6745

Jeld4 opened this issue Jun 28, 2024 · 3 comments
Labels
question

Comments

@Jeld4
Copy link

Jeld4 commented Jun 28, 2024
edited
Loading

Hello,

I have encountered a security scanner report that flags CVE-2012-5785 in my project.

However, my project is currently using Apache Axis2/Java version 1.8.2. Given that version 1.8.2 is much newer than 1.6.2, I believe this CVE should not apply to my project and suspect it might be a false positive.

Additionally, I noticed that sandesha-core2 has a dependency on axis2-codegen version 1.6.2. It is possible that the dependency check is confused because of this?

Here is the tree of dependencies from my project

+--- org.apache.sandesha2:sandesha2-core:1.6.2
| +--- org.apache.axis2:axis2-codegen:1.6.2 -> 1.8.2 ()
| +--- org.apache.ws.commons.axiom:axiom-api:1.2.13 -> 1.4.0 ()
| +--- org.apache.ws.commons.axiom:axiom-impl:1.2.13 -> 1.4.0 ()
| +--- org.apache.ws.commons.axiom:axiom-dom:1.2.13 -> 1.4.0 ()
| +--- commons-logging:commons-logging:1.1.1 -> 1.2
| +--- org.apache.axis2:axis2-kernel:1.6.2 -> 1.8.2 ()
| +--- org.apache.axis2:addressing:1.6.2
| | --- org.apache.axis2:axis2-kernel:1.6.2 -> 1.8.2 ()
| --- org.apache.axis2:axis2-mtompolicy:1.6.2
| +--- org.apache.axis2:axis2-kernel:1.6.2 -> 1.8.2 (*)
| --- org.apache.neethi:neethi:3.0.2 -> 3.2.0

I would like to be sure, that we can mark the CVE as false-positive, if we have newer versions.

Thank you for your assistance.
@Jeld4 Jeld4 added the question label Jun 28, 2024
@chadlwilson
Copy link
Contributor

chadlwilson commented Jun 28, 2024
edited
Loading

There is a dedicated issue type for false positive reports that ensures you report the necessary information from the ODC report to make these possible to assess. The output specifically notes the exact dependency it is reporting against so there should be no confusion here.

The team need to know the specific Maven coordinates reported and the CPE at least, I.e the information from the report ODC gives you.

@chadlwilson
Copy link
Contributor

https://github.com/jeremylong/DependencyCheck/issues/new?assignees=&labels=FP+Report&projects=&template=false-positive-report.yml&title=%5BFP%5D%3A+

@chadlwilson
Copy link
Contributor

Hi there, can you please close this duplicate, since you raised at #6757 using the template? :-)

(I'm not actually a maintainer, so I cant clean up issues myself, but it would help the team)

@aikebah aikebah closed this as completed Jul 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aikebah @chadlwilson @Jeld4