[FP]: False positive for CVE-2024-35255 in com.microsoft.azure/[email protected]

[juanmanuelromeraferrio]

Package URl

pkg:maven/com.microsoft.azure/[email protected]

CPE

cpe:2.3:a:microsoft:authentication_library:1.15.1:::::::*

CVE

CVE-2024-35255

ODC Integration

{"label"=>"CLI"}

ODC Version

10.0.2

Description

The msal4j library version 1.15.1 is marked as excluded for CVE-2024-35255, but is still being reported as vulnerable. This appears to be a false positive, as the vulnerability should not apply to versions 1.15.1 and above.

[github-actions]

Maven Coordinates

<dependency>
   <groupId>com.microsoft.azure</groupId>
   <artifactId>msal4j</artifactId>
   <version>1.15.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6840
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j@.*$</packageUrl>
   <cpe>cpe:/a:microsoft:authentication_library</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9941860681

[github-actions]

Maven Coordinates

<dependency>
   <groupId>com.microsoft.azure</groupId>
   <artifactId>msal4j</artifactId>
   <version>1.15.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6840
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j@.*$</packageUrl>
   <cpe>cpe:/a:microsoft:authentication_library</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9941871855

[github-actions]

Maven Coordinates

<dependency>
   <groupId>com.microsoft.azure</groupId>
   <artifactId>msal4j</artifactId>
   <version>1.15.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6840
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j@.*$</packageUrl>
   <cpe>cpe:/a:microsoft:authentication_library</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9941886001

[matthiaskraaz]

Not good. This also suppresses true positives.

The match to cpe:/a:microsoft:authentication_library:::~~~node.js~~ and cpe:/a:microsoft:authentication_library:::~~~.net~~ respectively cpe:2.3:a:microsoft:authentication_library:*:*:*:*:*:node.js:*:* and cpe:2.3:a:microsoft:authentication_library:*:*:*:*:*:.net:*:* should be suppressed, while the match to cpe:/a:microsoft:authentication_library:::~~~java~~ respectively cpe:2.3:a:microsoft:authentication_library:*:*:*:*:*:java:*:* must be kept.

What is the correct syntax in suppressions.xml for that? Thanks in advance for your help.

BTW: Does suppressions.xml really only accept CPE 2.2 and not CPE 2.3? Would be nice to have CPE 2.3 in suppressions.xml, so it is aligned with the report.

[juanmanuelromeraferrio]

Hi,

Thank you for your response. I just wanted to report that the msal4j library version 1.15.1 is incorrectly marked as vulnerable to CVE-2024-35255, which appears to be a false positive. I did not intend to propose a specific suppression solution.

Could you please advise on how to proceed or if there are any additional steps I need to take to ensure this false positive is properly handled?

Thank you in advance for your help.

[trask]

I had similar finding to @matthiaskraaz, which is that libraries/versions for other languages (e.g. Python and JavaScript) are getting matched

[vil2be]

Hi, is there any update on this?

[denAbramoff]

Any news?