Report for CVE-2012-5785 in Axis2 Version 1.8.2 #6757
Comments
|
Maven Coordinates <dependency>
<groupId>org.apache.sandesha2</groupId>
<artifactId>sandesha2-core</artifactId>
<version>1.6.2</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6757
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.sandesha2/sandesha2-core@.*$</packageUrl>
<cpe>cpe:/a:apache:axis2</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9738899033 |
|
Can somebody please explain to me whether it was evaluated as a false positive or is the bot just generating a suppression rule based on the entered parameters? @chadlwilson |
Jeld4
changed the title
|
Maven Coordinates <dependency>
<groupId>org.apache.sandesha2</groupId>
<artifactId>sandesha2-core</artifactId>
<version>1.6.2</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6757
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.sandesha2/sandesha2-core@.*$</packageUrl>
<cpe>cpe:/a:apache:axis2</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9757018582 |
|
The bot just suggests a suppression for automation based on parameters but it has to be reviewed and merged by a core contributor before it takes effect (which I am not one of, but yeah). Only FPs which are causes by product/CPE mismatches and ODac heuristics will be merged. If the problem is the upstream data (NVD, OSSIndex etc) it won't be merged into ODC. |
|
In my personal opinion, this does indeed seem like a false positive, and the suggested suppression is correct/valid. Sandesha is a separate Axis2 module and while they chose similar version numbers to axis2, it was released separately and declares a dependency on axis (not bundled together) so I don't see any reason it should be matched to axis2's CPE? Furthermore
Perhaps @aikebah can take a look and see what he thinks, but I think this suppression is fine - perhaps slightly suprised it's not also reported against other sandesha modules aside from |
|
approved Thanks @chadlwilson for your elaboration on the library. It saved me the investigation. Using your pointers I could easily observe that the CPE suppression is warranted for. Sandesha would indeed receive a CPE on its own would a vulnerability be published for it. |
|
Suppress rule has been added to the |
Package URl
pkg:maven/org.apache.sandesha2/[email protected]
CPE
cpe:2.3:a:apache:axis2:::::::: versions up to (including) 1.6.2
CVE
CVE-2012-5785
ODC Integration
None
ODC Version
9.0.10
Description
Hello,
I have encountered a security scanner report that flags CVE-2012-5785 in my project.
However, my project is currently using Apache Axis2/Java version 1.8.2. Given that version 1.8.2 is much newer than 1.6.2, I believe this CVE should not apply to my project and suspect it might be a false positive.
Additionally, I noticed that sandesha-core2 has a dependency on axis2-codegen version 1.6.2. It is possible that the dependency check is confused because of this?
Here is the tree of dependencies from my project
+--- org.apache.sandesha2:sandesha2-core:1.6.2
| +--- org.apache.axis2:axis2-codegen:1.6.2 -> 1.8.2 ()
| +--- org.apache.ws.commons.axiom:axiom-api:1.2.13 -> 1.4.0 ()
| +--- org.apache.ws.commons.axiom:axiom-impl:1.2.13 -> 1.4.0 ()
| +--- org.apache.ws.commons.axiom:axiom-dom:1.2.13 -> 1.4.0 ()
| +--- commons-logging:commons-logging:1.1.1 -> 1.2
| +--- org.apache.axis2:axis2-kernel:1.6.2 -> 1.8.2 ()
| +--- org.apache.axis2:addressing:1.6.2
| | --- org.apache.axis2:axis2-kernel:1.6.2 -> 1.8.2 ()
| --- org.apache.axis2:axis2-mtompolicy:1.6.2
| +--- org.apache.axis2:axis2-kernel:1.6.2 -> 1.8.2 (*)
| --- org.apache.neethi:neethi:3.0.2 -> 3.2.0
I would like to be sure, that we can mark the CVE as false-positive, if we have newer versions.
Dependency: sandesha2-core-1.6.2.jar
Vulnerability IDs: cpe:2.3:a:apache:axis:1.6.2:::::::*
cpe:2.3:a:apache:axis2:1.6.2:::::::*
Package: pkg:maven/org.apache.sandesha2/[email protected]
Severity: MEDIUM
Thank you for your assistance.
The text was updated successfully, but these errors were encountered: