[FP]: Apache libfb303-0.9.3 matches Facebook libfb303 and Apache thrift #5781
Comments
|
Maven Coordinates <dependency>
<groupId>org.apache.thrift</groupId>
<artifactId>libfb303</artifactId>
<version>0.9.3</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #5781
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
<cpe>cpe:/a:apache:thrift</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/5311932293 |
|
approved |
|
Suppress rule has been added to the |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Package URl
pkg:maven/org.apache.thrift/libfb303@0.9.3
CPE
cpe:2.3:a:apache:thrift:0.9.3:*:*:*:*:*:*:*CVE
No response
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
8.3.1
Description
The Apache thrift consists of two artifacts,
libthriftandlibfb303. Vulnerabilities have been reported inlibthriftversion 0.9.3 to 0.13.0. Newer versions have been provided, fixing those issues. But since no vulnerabilities have been found in libfb303, its version stays at 0.9.3. It is problematic that the two artifacts share the CPE.Thrift was first developed by Facebook, but later was taken over by Apache.
Apart from the mentioned CPE, it also matches
cpe:2.3:a:facebook:thrift:0.9.3:*:*:*:*:*:*:*, i.e. the old Facebook one. This is definitely wrong, since the group ID clearly identifies the artifact as the Apache one.The text was updated successfully, but these errors were encountered: