[FP]: False positive findings in Dependency Checker for Apache Kafka

[vasec635]

Package URl

kafka/3.9.0/1/fast/libs/scala-java8-compat_2.13-1.0.2.jar

CPE

cpe:2.3:a:scala-lang:scala:1.0.2:::::::*

CVE

CVE-2017-15288

ODC Integration

{"label" => "Docker"}

ODC Version

12.1.0

Description

Hi Team,

We are getting vulnerability CVE-2017-15288 in Dependency Checker Tool findings, although as per our analysis we consider it as false positive.

Kindly check and get it fixed in Dependency Checker tool. So, this false positive does not appear in scan report.

Dependency Checker tool is scanning below mentioned path
File Path : kafka/3.9.0/1/fast/libs/scala-java8-compat_2.13-1.0.2.jar

Justification: This vulnerability is reported on kafka version 3.6.2, 3.7.1, 3.8.1 However in product, kafka 3.9.0 version is present.

Hence this vulnerability is false positive.

[github-actions]

Error parsing package url: kafka/3.9.0/1/fast/libs/scala-java8-compat_2.13-1.0.2.jar.

Error: Error: Invalid purl: missing required "pkg" scheme component

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/dependency-check/DependencyCheck/actions/runs/15633384903

[chadlwilson]

Closing as insufficient information supplied, per messages above.