[FP]: False positives for splunk-library-javalogging #7339
Comments
|
Error parsing package url: https://mvnrepository.com/artifact/com.splunk.logging/splunk-library-javalogging/1.8.0. Error: Error: Invalid purl: missing required "pkg" scheme component Please correct the package URL - consider copying the package url from the HTML report. |
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/12901598825 |
|
Error parsing package url: https://mvnrepository.com/artifact/com.splunk.logging/splunk-library-javalogging/1.8.0. Error: Error: Invalid purl: missing required "pkg" scheme component Please correct the package URL - consider copying the package url from the HTML report. |
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/12901614690 |
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/12901638649 |
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/12901679688 |
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/12901761925 |
|
Hi @Subrhamanya - can you make a (useless) edit to the description again? The automation was broken before and didn't run, but it's hopefully fixed now. |
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/12910055869 |
|
@chadlwilson It failed again with https://mvnrepository.com/artifact/com.splunk.logging/splunk-library-javalogging/1.11.8 |
|
It looks like it's not published to Maven Central. Do you get it from Splunk's repo, e.g |
|
@chadlwilson It's available in maven. I have attached the link above. https://mvnrepository.com/artifact/com.splunk.logging/splunk-library-javalogging/1.11.8
|
|
"Mvnrepository" is just a custom indexing website run by a single person. It is not Maven Central and not official, and indexes artifacts from many different repositories. In this case it's a custom repository run by Splunk; I am asking if you are also retrieving the artifact in your builds from the custom Splunk repository. That's why the automation fails. |
|
Ahh ok got it. Yes I am also getting it from there.. |
|
See #7344 - that should unblock this. We can always create a manual suppression, but much easier to fix the automation for future in case there are issues with other Splunk artifacts. |
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/12910055869 |
|
Maven Coordinates <dependency>
<groupId>com.splunk.logging</groupId>
<artifactId>splunk-library-javalogging</artifactId>
<version>1.11.8</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #7339
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.splunk\.logging/splunk-library-javalogging@.*$</packageUrl>
<cpe>cpe:/a:splunk:splunk</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/12919768630 |
|
Approved |
|
Suppress rule has been added to the |
Package URl
pkg:maven/com.splunk.logging/[email protected]
CPE
cpe:2.3:a:splunk:splunk:*:*:*:*:*:*:*:*CVE
CVE-2022-32158
ODC Integration
{"label" => "Maven Plugin"}
ODC Version
12.0.0
Description
There are too many false positive CVEs reported against splunk-library-javalogging. These CVEs should have been reported to splunk application rather than this jar.
Previous issue raised: (It has all CVE list. Sharing single CVE above)
#7242
CPE id: cpe:2.3:a:splunk:splunk::::::::
cc: @chadlwilson @jeremylong
The text was updated successfully, but these errors were encountered: