[FP]: CVE-2019-17543, which applies to the lz4 (native C) library, gets applied to lz4-java, which is a Java wrapper for it, but with its own versioning #6696
Comments
|
Maven Coordinates <dependency>
<groupId>org.lz4</groupId>
<artifactId>lz4-java</artifactId>
<version>1.8.0</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6696
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.lz4/lz4-java@.*$</packageUrl>
<cpe>cpe:/a:lz4_project:lz4</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9268723213 |
|
This FP suddenly popped up when I tried to upgrade a project from Kotlin 1.9.x to Kotlin 2.0. Not sure why that triggered this. During the same upgrade attempt, the following FPs suddenly popped up as well:
|
|
approved |
|
Suppress rule has been added to the |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Package URl
pkg:maven/org.lz4/[email protected]
CPE
cpe:2.3:a:lz4_project:lz4:1.8.0:::::::*
CVE
CVE-2019-17543
ODC Integration
{"label"=>"Gradle Plugin"}
ODC Version
9.2.0
Description
According to NIST, CVE-2019-17543 affects versions of LZ4 before 1.9.2.
However, lz4-java, which has LZ4 as a JNI dependency, has it's own versioning, and version 1.8.0 of lz4-java, which is getting flagged here, already includes LZ4 version 1.9.3, which no longer has that vulnerability.
The text was updated successfully, but these errors were encountered: