[FP]: New FP CVE-2020-27225 reported against org.eclipse.equinox.supplement jar

[Subrhamanya]

Package URl

pkg:maven/org.eclipse.platform/org.eclipse.equinox.supplement@1.6.100

CPE

cpe:2.3:a:eclipse:platform::::::::

CVE

CVE-2020-27225

ODC Integration

{"label" => "Maven Plugin"}

ODC Version

10.0.3

Description

According to the conversation here, this CVE affects eclipse platform jars and not eclipse osgi equinox supplement jars.

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.eclipse.platform</groupId>
   <artifactId>org.eclipse.equinox.supplement</artifactId>
   <version>1.6.100</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7663
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.eclipse\.platform/org\.eclipse\.equinox\.supplement@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:platform</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/15209198196

[chadlwilson]

approved - org.eclipse.equinox.supplement is versioned entirely separately to rest of the platform with which version #s and CPEs are linked to

[github-actions]

Suppress rule has been added to the generatedSuppressions branch.