Skip to content

jowko/cve-bug-example

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
test-dependency
test-dependency
 
 
test-module
test-module
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
dependency-check-jenkins.html
dependency-check-jenkins.html
 
 
pom.xml
pom.xml
 
 

Repository files navigation

CVE bug example

This repository reproduces a bug when a library is wrongly recognized and CVEs from other library are reported for it.

Issue description

There is a test-module module which uses dependency test-dependency. Because test-dependency has version matching one of the existing jenkins release plugin version, and it also adds jenkins-release-xyz to a MANIFEST.MF file, it is treated as jenkins release library and two CVE are reported for this project despite it does not exist in CVE database:

This is probably because of such defined cpe:

cpe:2.3:a:jenkins:release:*:*:*:*:*:jenkins:*:*

test-dependency has such content in its MANIFEST.mf file:

Manifest-Version: 1.0
Created-By: Maven JAR Plugin 3.3.0
Build-Jdk-Spec: 17
Build-Tag: jenkins-release-1.2.0

Generating report

To reproduce this bug, run:

mvn clean install
mvn dependency-check:aggregate validate -Powasp

The generated report can be found in target directory. There is also a dependency-check-jenkins.html file pushed to this repository to show the result of this operation.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages