[FP]: CVE-2022-41852 has been rejected

[RomRom1]

Package URl

pkg:maven/commons-jxpath/commons-jxpath@1.3

CPE

cpe:2.3:a:apache:commons_jxpath:1.3:::::::*

CVE

CVE-2022-41852

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

7.3.2

Description

CVE-2022-41852 has been rejected

This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue

Present in spring-cloud-netflix-eureka-client v3.1.4 ( cf. Netflix/eureka#1471 )

[INFO] +- org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:jar:3.1.4:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-netflix-eureka-client:jar:3.1.4:compile
[INFO] |  +- com.netflix.eureka:eureka-client:jar:1.10.17:compile
[INFO] |  |  +- com.netflix.netflix-commons:netflix-eventbus:jar:0.3.0:compile
[INFO] |  |  |  +- com.netflix.netflix-commons:netflix-infix:jar:0.3.0:runtime
[INFO] |  |  |  |  +- commons-jxpath:commons-jxpath:jar:1.3:runtime

[github-actions]

Maven Coordinates

<dependency>
   <groupId>commons-jxpath</groupId>
   <artifactId>commons-jxpath</artifactId>
   <version>1.3</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5092
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/commons-jxpath/commons-jxpath@.*$</packageUrl>
   <cpe>cpe:/a:apache:commons_jxpath</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/3547275815

[github-actions]

Maven Coordinates

<dependency>
   <groupId>commons-jxpath</groupId>
   <artifactId>commons-jxpath</artifactId>
   <version>1.3</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5092
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/commons-jxpath/commons-jxpath@.*$</packageUrl>
   <cpe>cpe:/a:apache:commons_jxpath</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/3547368448

[aikebah]

Something you should take up with the vulnerability source - Sonatype OSSIndex. As their researchers link package-URLs to vulnerabilities their researchers are either not aware of it, or they disagree with the analysis that it's not a security vulnerability. Best course forward would be opening a ticket for it at https://github.com/OSSIndex/vulns (which is known to sometimes take a while to get responses).

Also note the discussions on the related github issue: there is a big security risk in the library when you use it to process XPaths (partly) based on untrusted inputs

[github-actions]

Maven Coordinates

<dependency>
   <groupId>commons-jxpath</groupId>
   <artifactId>commons-jxpath</artifactId>
   <version>1.3</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5092
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/commons-jxpath/commons-jxpath@.*$</packageUrl>
   <cpe>cpe:/a:apache:commons_jxpath</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/3563743697

[RomRom1]

@aikebah Thanks for your advice !

To go further : apache/commons-jxpath#25 & apache/commons-jxpath#26

In particular case of Eureka Client, an issue has been opened : Netflix/eureka#1471