[FP]: False positive findings in Dependency Checker for Jetty Component #7389
Description
Package URl
pkg:jetty-3.7.600-v20210224-2143.jar
CPE
cpe:2.3:a:eclipse:equinox:3.7.600:20210224:::::: cpe:2.3:a:eclipse:jetty:3.7.600:20210224:::::: cpe:2.3:a:jetty:jetty:3.7.600:20210224::::::
CVE
No response
ODC Integration
{"label" => "Docker"}
ODC Version
7.1.0
Description
Hi Team,
We are getting following vulnerabilities (CVEs) in Dependency Checker Tool findings, although as per our analysis we consider them as false positive.
CVEs details and our justification for false positive for each CVE is mentioned below.
Kindly check and get it fixed in Dependency Checker tool. So these false positive does not appear in scan report.
CVE-2017-7656,CVE-2017-7657,CVE-2017-7658,CVE-2009-5045,CVE-2017-9735,CVE-2022-2048,CVE-2020-27216
Dependency Checker tool is scanning below mentioned path
File Path: org.eclipse.equinox.http.jetty-3.7.600-v20210224-2143.jar
Justification: Dependency checker tool is identifying Jetty version 3.7.600 by reading this version from jar file which is incorrect.
Hence this vulnerability is considered as false positive.