You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have encountered a security scanner report that flags CVE-2012-5785 in my project.
However, my project is currently using Apache Axis2/Java version 1.8.2. Given that version 1.8.2 is much newer than 1.6.2, I believe this CVE should not apply to my project and suspect it might be a false positive.
Additionally, I noticed that sandesha-core2 has a dependency on axis2-codegen version 1.6.2. It is possible that the dependency check is confused because of this?
There is a dedicated issue type for false positive reports that ensures you report the necessary information from the ODC report to make these possible to assess. The output specifically notes the exact dependency it is reporting against so there should be no confusion here.
The team need to know the specific Maven coordinates reported and the CPE at least, I.e the information from the report ODC gives you.
Hello,
I have encountered a security scanner report that flags CVE-2012-5785 in my project.
However, my project is currently using Apache Axis2/Java version 1.8.2. Given that version 1.8.2 is much newer than 1.6.2, I believe this CVE should not apply to my project and suspect it might be a false positive.
Additionally, I noticed that sandesha-core2 has a dependency on axis2-codegen version 1.6.2. It is possible that the dependency check is confused because of this?
Here is the tree of dependencies from my project
I would like to be sure, that we can mark the CVE as false-positive, if we have newer versions.
Thank you for your assistance.
The text was updated successfully, but these errors were encountered: