Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive on ActiveMQ Artemis libraries #1581

Closed
RobertPaasche opened this issue Nov 24, 2018 · 1 comment
Closed

False Positive on ActiveMQ Artemis libraries #1581

RobertPaasche opened this issue Nov 24, 2018 · 1 comment
Labels
FP Report

Comments

@RobertPaasche
Copy link
Contributor

Please delete any un-needed section from the following issue template:

Reporting False Positives

The libraries artemis-hornetq-protocol-2.6.3.jar and artemis-native-2.6.3.jar of the Appache ActiveMQ Artemis are detected as Appache HTTP Server.
So many CVE are detected on booth some examples are:
CVE-2010-0425
CVE-2011-1783
CVE-2007-642
CVE-2009-1890
CVE-2010-0408
CVE-2010-1151
and around 40 more.

Example

False positive on library artemis-hornetq-protocol-2.6.3.jar - reported as cpe:/a:apache:apache_http_server:2.6.3 and cpe:/a:apache:http_server:2.6.3

    <identifiers>
        <identifier type="cpe" confidence="LOW">
          <name>cpe:/a:apache:apache_http_server:2.6.3</name>
          <url>https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&amp;cves=on&amp;cpe_version=cpe%3A%2Fa%3Aapache%3Aapache_http_server</url>
        </identifier>
        <identifier type="maven" confidence="HIGH">
          <name>org.apache.activemq:artemis-hornetq-protocol:2.6.3</name>
        </identifier>
        <identifier type="cpe" confidence="LOW">
          <name>cpe:/a:apache:http_server:2.6.3</name>
          <url>https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&amp;cves=on&amp;cpe_version=cpe%3A%2Fa%3Aapache%3Ahttp_server</url>
        </identifier>
      </identifiers>

False positive on library artemis-native-2.6.3.jar - reported as cpe:/a:apache:apache_http_server:2.6.3

     <identifiers>
        <identifier type="maven" confidence="HIGH">
          <name>org.apache.activemq:artemis-native:2.6.3</name>
        </identifier>
        <identifier type="cpe" confidence="LOW">
          <name>cpe:/a:apache:apache_http_server:2.6.3</name>
          <url>https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&amp;cves=on&amp;cpe_version=cpe%3A%2Fa%3Aapache%3Aapache_http_server</url>
        </identifier>
      </identifiers>
<dependency>
   <groupId>org.apache.activemq</groupId>
   <artifactId>artemis-hornetq-protocol</artifactId>
   <version>2.6.3</version>
</dependency>
<dependency>
   <groupId>org.apache.activemq</groupId>
   <artifactId>artemis-native</artifactId>
   <version>2.6.3</version>
</dependency>
jeremylong added a commit that referenced this issue Dec 16, 2018
@jeremylong
changes for FP #1588, #1609, #1614, #1599, #1595, #1594, #1590, #1587,
9161ef2 
…#1587, #1585, #1585, #1585, #1566, and #1581
@lock
Copy link

lock bot commented Jan 17, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Jan 17, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FP Report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeremylong @RobertPaasche