[FP]: False positive findings in Dependency Checker for jackson-core component

[ashu4]

Package URl

pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.2

CPE

cpe:2.3:a:fasterxml:jackson-modules-java8:2.14.2:::::::* cpe:2.3:a:json-java_project:json-java:2.14.2:::::::*

CVE

CVE-2023-5072

ODC Integration

{"label" => "Docker"}

ODC Version

7.1.0

Description

Hi Team,

We are getting following vulnerabilities (CVEs) in Dependency Checker Tool findings, although as per our analysis we consider them as false positive.
CVEs details and our justification for false positive for each CVE is mentioned below.
Kindly check and get it fixed in Dependency Checker tool. So these false positive does not appear in scan report.

CVE-2023-5072
Dependency Checker tool is scanning below mentioned path
File Path: jackson-core.jar

Justification: This vulnerability is specific to json-java library.
Tool is reporting this vulnerability on jackson-core library. Although this vulnerability is specific to json-java library.
json-java is also not a dependent libary of jackson-core.
Hence this vulnerability is false positive.

[github-actions]

Maven Coordinates

<dependency>
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-core</artifactId>
   <version>2.14.2</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7385
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson-core@.*$</packageUrl>
   <cpe>cpe:/a:fasterxml:jackson-modules-java8</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/13235156712

[aikebah]

Not reproducible with an up-to-date CLI - update your DependencyCheck CLI version, it's outdated