Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FP]: Adobe Experience Manager uber-jar 6.5.22 reports numerous false positives #7290

Open
henrykuijpers opened this issue Jan 8, 2025 · 3 comments
Open

[FP]: Adobe Experience Manager uber-jar 6.5.22 reports numerous false positives #7290

henrykuijpers opened this issue Jan 8, 2025 · 3 comments
Labels
enhancement FP Report maven changes to the maven plugin

Comments

@henrykuijpers
Copy link

henrykuijpers commented Jan 8, 2025
edited
Loading

Package URl

pkg:maven/com.adobe.aem/[email protected]

CPE

cpe:2.3:a:adobe:experience_manager:6.5.22:::::::*

CVE

No response

ODC Integration

{"label" => "Maven Plugin"}

ODC Version

10.0.3

Description

When checking a few of these CVEs, they all report that they are fixed in 6.5.20 or 6.5.21 (or even in earlier versions).

CVE-2024-26029, CVE-2024-43716, CVE-2024-43717, CVE-2024-43729, CVE-2024-43755, CVE-2024-43731, CVE-2024-52831, CVE-2024-36216, CVE-2023-51457, CVE-2023-51458, CVE-2023-51459, CVE-2023-51460, CVE-2023-51461, CVE-2023-51462, CVE-2024-20760, CVE-2024-20768, CVE-2024-20769, CVE-2024-20778, CVE-2024-20779, CVE-2024-20780, CVE-2024-20784, CVE-2024-20799, CVE-2024-20800, CVE-2024-26028, CVE-2024-26030, CVE-2024-26031, CVE-2024-26032, CVE-2024-26033, CVE-2024-26034, CVE-2024-26035, CVE-2024-26036, CVE-2024-26037, CVE-2024-26038, CVE-2024-26039, CVE-2024-26040, CVE-2024-26041, CVE-2024-26042, CVE-2024-26043, CVE-2024-26044, CVE-2024-26045, CVE-2024-26046, CVE-2024-26047, CVE-2024-26051, CVE-2024-26052, CVE-2024-26053, CVE-2024-26054, CVE-2024-26055, CVE-2024-26056, CVE-2024-26057, CVE-2024-26058, CVE-2024-26059, CVE-2024-26060, CVE-2024-26061, CVE-2024-26062, CVE-2024-26064, CVE-2024-26065, CVE-2024-26066, CVE-2024-26067, CVE-2024-26068, CVE-2024-26069, CVE-2024-26070, CVE-2024-26071, CVE-2024-26072, CVE-2024-26073, CVE-2024-26074, CVE-2024-26075, CVE-2024-26076, CVE-2024-26077, CVE-2024-26078, CVE-2024-26079, CVE-2024-26080, CVE-2024-26081, CVE-2024-26082, CVE-2024-26083, CVE-2024-26084, CVE-2024-26085, CVE-2024-26086, CVE-2024-26087, CVE-2024-26088, CVE-2024-26089, CVE-2024-26090, CVE-2024-26091, CVE-2024-26092, CVE-2024-26093, CVE-2024-26094, CVE-2024-26095, CVE-2024-26096, CVE-2024-26097, CVE-2024-26098, CVE-2024-26101, CVE-2024-26102, CVE-2024-26103, CVE-2024-26104, CVE-2024-26105, CVE-2024-26106, CVE-2024-26107, CVE-2024-26110, CVE-2024-26111, CVE-2024-26113, CVE-2024-26114, CVE-2024-26115, CVE-2024-26116, CVE-2024-26117, CVE-2024-26118, CVE-2024-26120, CVE-2024-26121, CVE-2024-26122, CVE-2024-26123, CVE-2024-26124, CVE-2024-26125, CVE-2024-34119, CVE-2024-34120, CVE-2024-34128, CVE-2024-34141, CVE-2024-34142, CVE-2024-36141, CVE-2024-36142, CVE-2024-36143, CVE-2024-36144, CVE-2024-36146, CVE-2024-36147, CVE-2024-36148, CVE-2024-36149, CVE-2024-36150, CVE-2024-36151, CVE-2024-36152, CVE-2024-36153, CVE-2024-36154, CVE-2024-36155, CVE-2024-36156, CVE-2024-36157, CVE-2024-36158, CVE-2024-36159, CVE-2024-36160, CVE-2024-36161, CVE-2024-36162, CVE-2024-36163, CVE-2024-36164, CVE-2024-36165, CVE-2024-36166, CVE-2024-36167, CVE-2024-36168, CVE-2024-36169, CVE-2024-36170, CVE-2024-36171, CVE-2024-36172, CVE-2024-36173, CVE-2024-36174, CVE-2024-36175, CVE-2024-36176, CVE-2024-36177, CVE-2024-36178, CVE-2024-36179, CVE-2024-36180, CVE-2024-36181, CVE-2024-36182, CVE-2024-36183, CVE-2024-36184, CVE-2024-36185, CVE-2024-36186, CVE-2024-36187, CVE-2024-36188, CVE-2024-36189, CVE-2024-36190, CVE-2024-36191, CVE-2024-36192, CVE-2024-36193, CVE-2024-36194, CVE-2024-36195, CVE-2024-36196, CVE-2024-36197, CVE-2024-36198, CVE-2024-36199, CVE-2024-36200, CVE-2024-36201, CVE-2024-36202, CVE-2024-36203, CVE-2024-36204, CVE-2024-36205, CVE-2024-36206, CVE-2024-36207, CVE-2024-36208, CVE-2024-36209, CVE-2024-36210, CVE-2024-36211, CVE-2024-36212, CVE-2024-36213, CVE-2024-36214, CVE-2024-36215, CVE-2024-36217, CVE-2024-36218, CVE-2024-36219, CVE-2024-36220, CVE-2024-36221, CVE-2024-36222, CVE-2024-36224, CVE-2024-36225, CVE-2024-36227, CVE-2024-36228, CVE-2024-36229, CVE-2024-36230, CVE-2024-36231, CVE-2024-36232, CVE-2024-36233, CVE-2024-36234, CVE-2024-36235, CVE-2024-36236, CVE-2024-36238, CVE-2024-36239, CVE-2024-41841, CVE-2024-41843, CVE-2024-41844, CVE-2024-41845, CVE-2024-41846, CVE-2024-41847, CVE-2024-41848, CVE-2024-41875, CVE-2024-41876, CVE-2024-41877, CVE-2024-41878, CVE-2024-43712, CVE-2024-43713, CVE-2024-43714, CVE-2024-43715, CVE-2024-43718, CVE-2024-43719, CVE-2024-43720, CVE-2024-43721, CVE-2024-43722, CVE-2024-43723, CVE-2024-43724, CVE-2024-43725, CVE-2024-43726, CVE-2024-43727, CVE-2024-43728, CVE-2024-43730, CVE-2024-43733, CVE-2024-43734, CVE-2024-43735, CVE-2024-43736, CVE-2024-43737, CVE-2024-43738, CVE-2024-43739, CVE-2024-43740, CVE-2024-43742, CVE-2024-43743, CVE-2024-43744, CVE-2024-43745, CVE-2024-43746, CVE-2024-43747, CVE-2024-43748, CVE-2024-43749, CVE-2024-43750, CVE-2024-43751, CVE-2024-43752, CVE-2024-43754, CVE-2024-45153, CVE-2024-49523, CVE-2024-49524, CVE-2024-52816, CVE-2024-52817, CVE-2024-52818, CVE-2024-52822, CVE-2024-52823, CVE-2024-52824, CVE-2024-52825, CVE-2024-52826, CVE-2024-52827, CVE-2024-52828, CVE-2024-52829, CVE-2024-52830, CVE-2024-52832, CVE-2024-52834, CVE-2024-52835, CVE-2024-52836, CVE-2024-52837, CVE-2024-52838, CVE-2024-52839, CVE-2024-52840, CVE-2024-52841, CVE-2024-52842, CVE-2024-52843, CVE-2024-52844, CVE-2024-52845, CVE-2024-52846, CVE-2024-52847, CVE-2024-52848, CVE-2024-52849, CVE-2024-52850, CVE-2024-52851, CVE-2024-52852, CVE-2024-52853, CVE-2024-52854, CVE-2024-52855, CVE-2024-52857, CVE-2024-52858, CVE-2024-52859, CVE-2024-52860, CVE-2024-52861, CVE-2024-52862, CVE-2024-52864, CVE-2024-52865, CVE-2024-52991, CVE-2024-52992, CVE-2024-52993, CVE-2024-53960, CVE-2024-26063, CVE-2024-26119, CVE-2024-26049, CVE-2024-26050, CVE-2024-41842, CVE-2024-43732, CVE-2024-41849, CVE-2024-26126, CVE-2024-26127, CVE-2024-36226, CVE-2024-41839
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 8, 2025

Maven Coordinates

<dependency>
   <groupId>com.adobe.aem</groupId>
   <artifactId>uber-jar</artifactId>
   <version>6.5.22</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7290
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.adobe\.aem/uber-jar@.*$</packageUrl>
   <cpe>cpe:/a:adobe:experience_manager</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/12666301260

@github-actions github-actions bot added the maven changes to the maven plugin label Jan 8, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 8, 2025

Maven Coordinates

<dependency>
   <groupId>com.adobe.aem</groupId>
   <artifactId>uber-jar</artifactId>
   <version>6.5.22</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7290
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.adobe\.aem/uber-jar@.*$</packageUrl>
   <cpe>cpe:/a:adobe:experience_manager</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/12666543020

@aikebah
Copy link
Collaborator

aikebah commented Jan 8, 2025

Rooted in NVD registration of AEM where they have 2 CPE variants:
cpe:2.3:a:adobe:experience_manager:*:*:*:*:aem_cloud_service:*:*:* (which this library is not and which uses YYYY.NN versioning)
cpe:2.3:a:adobe:experience_manager:*:*:*:*:*:*:*:*/cpe:2.3:a:adobe:experience_manager:*:*:*:*:-:*:*:* (which this library falls under and has in the NVD data the appropriate upper bounds)

It would require an enhancement of the handling of CPE to be able to both determine (for a library) and include in the CPE-matching the software_edition. I see no way to reliably establish those, so likely this FP needs end-user resolution by your own suppressions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement FP Report maven changes to the maven plugin
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aikebah @henrykuijpers