Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FP]: Shaded JRuby dirgra being confused for JRuby itself #4647

Closed
chadlwilson opened this issue Jul 6, 2022 · 11 comments
Closed

[FP]: Shaded JRuby dirgra being confused for JRuby itself #4647

chadlwilson opened this issue Jul 6, 2022 · 11 comments
Labels
FP Report maven changes to the maven plugin

Comments

@chadlwilson
Copy link
Contributor

chadlwilson commented Jul 6, 2022
edited
Loading

Package URl

pkg:maven/org.jruby/[email protected]

CPE

cpe:/a:jruby:jruby

CVE

No response

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

7.1.1

Description

  <suppress>
    <notes><![CDATA[
    Suppressing false positive caused by OWASP Dependency Check thinking the shaded/packaged dirgra library is the same
    as the JRuby version. These are versioned independently and not the same thing.
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
    <cpe>cpe:/a:jruby:jruby</cpe>
  </suppress>

See https://github.com/jruby/dirgra
@github-actions
Copy link
Contributor

github-actions bot commented Jul 6, 2022

Maven Coordinates

<dependency>
   <groupId>org.jruby</groupId>
   <artifactId>dirgra</artifactId>
   <version>0.3</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4647
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
   <cpe>cpe:/a:jruby:jruby</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2623816908

@github-actions github-actions bot added the maven changes to the maven plugin label Jul 6, 2022
@marcelstoer marcelstoer mentioned this issue Jul 21, 2022
Merged
@github-actions
Copy link
Contributor

github-actions bot commented Oct 3, 2022

Maven Coordinates

<dependency>
   <groupId>org.jruby</groupId>
   <artifactId>dirgra</artifactId>
   <version>0.3</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4647
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
   <cpe>cpe:/a:jruby:jruby`</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/3172104249

@github-actions
Copy link
Contributor

github-actions bot commented Oct 3, 2022

Maven Coordinates

<dependency>
   <groupId>org.jruby</groupId>
   <artifactId>dirgra</artifactId>
   <version>0.3</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4647
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
   <cpe>cpe:/a:jruby:jruby</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/3172120850

@chadlwilson chadlwilson mentioned this issue Oct 9, 2022
Merged
@aikebah aikebah added this to the 7.1.2 milestone Oct 9, 2022
@aikebah
Copy link
Collaborator

aikebah commented Oct 9, 2022

was merged and released with 7.1.2

@aikebah aikebah closed this as completed Oct 9, 2022
@chadlwilson
Copy link
Contributor Author

Hi @aikebah - are you able to point me to how this was resolved or the relevant suppression?

I am still getting this and needing to suppress with 7.2.1 via the Gradle plugin so will check if there is something else going on here.

https://github.com/gocd/gocd/blob/75e13170e1cd5eb9f07015bf69719bfb17147043/buildSrc/dependency-check-suppress.xml#L19-L26

dependency-check version: 7.2.1
Report Generated On: Sun, 9 Oct 2022 03:35:25 +0530
Dependencies Scanned: 320 (317 unique)
Vulnerable Dependencies: 0
Vulnerabilities Found: 0
Vulnerabilities Suppressed: 115

jruby-complete-9.3.8.0.jar (shaded: org.jruby:dirgra:0.3)
Description: Simple Directed Graph
License: EPL: http://www.eclipse.org/legal/epl-v10.html
File Path: /go/.gradle/caches/modules-2/files-2.1/org.jruby/jruby-complete/9.3.8.0/8e11191265ab501930125081d8c21a3f55f1b8cd/jruby-complete-9.3.8.0.jar/META-INF/maven/org.jruby/dirgra/pom.xml
MD5: 4d7f76247a22e56064ab9db464794cd4
SHA1: 91c78b3f134c5b1f04d3a6447d246cf0a0d9a8e2
SHA256: d0f49f7eaf14307bc8ce44b14fe999c1330e029043f6e8a125b5a9f7ed1c417a

Suppressed Identifiers

  cpe:2.3:a:jruby:jruby:0.3:*:*:*:*:*:*:* suppressed  (Confidence:Highest)

@aikebah
Copy link
Collaborator

aikebah commented Oct 9, 2022

@chadlwilson This should be fixed by #4688 according to it's message (but was not picked up by github automation for closure on merge) as the fixes keyword was not repeated before each mentioned issue.

@aikebah
Copy link
Collaborator

aikebah commented Oct 9, 2022

Looking at the linked PR it appears that this issue was wrongly linked there... reopening

@aikebah aikebah reopened this Oct 9, 2022
@aikebah aikebah removed this from the 7.1.2 milestone Oct 9, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Oct 9, 2022

Maven Coordinates

<dependency>
   <groupId>org.jruby</groupId>
   <artifactId>dirgra</artifactId>
   <version>0.3</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4647
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.jruby/dirgra@.*$</packageUrl>
   <cpe>cpe:/a:jruby:jruby</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/3214142169

@aikebah
Copy link
Collaborator

aikebah commented Oct 9, 2022

approved

@github-actions
Copy link
Contributor

github-actions bot commented Oct 9, 2022

Suppress rule has been added to the generatedSuppressions branch.

@github-actions github-actions bot closed this as completed Oct 9, 2022
github-actions bot added a commit that referenced this issue Oct 9, 2022
@github-actions
FP per issue #4647
f5c237c
@chadlwilson
Copy link
Contributor Author

Ahh, I see - yeah, incorrect accidental linkage back there. Thanks!

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 1, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FP Report maven changes to the maven plugin
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aikebah @chadlwilson