[FP]: False positive for apache-el-11.0.0.jar against multiple jetty 11 CVE's

[vbode]

Package URl

Package URI does not show up in Report

CPE

cpe:2.3:a:eclipse:jetty:11.0.9:::::::*

CVE

Multiple CVE's

ODC Integration

None

ODC Version

12.1.3

Description

This report is very similar to:
#7145

However now, I can't the suppression working on PackageURL, just on SHA, since the packageUrl does not show up in the report.
Possibly this is also why the FP is no longer suppressed by the hosted suppression.

This is how it shows up in the report:

[github-actions]

Error parsing package url: Package URI does not show up in Report.

Error: Error: Invalid purl: missing required "pkg" scheme component

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/dependency-check/DependencyCheck/actions/runs/16519058549

[vbode]

Hi @aikebah, perhaps you can take a look at this FP, as it is related to an earlier one (#7145) you helped us out with?

[github-actions]

Error parsing package url: Package URI does not show up in Report.

Error: Error: Invalid purl: missing required "pkg" scheme component

Please correct the package URL - consider copying the package url from the HTML report.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/dependency-check/DependencyCheck/actions/runs/16522540281

[aikebah]

Your comment "Package URI does not show up in Report" is spot on... must be something in the way you scan - ODC is unable to recognize the jar-file as a maven artifact rendering the FP suppression useless. As you appear to be running the CLI (integration: None) make sure to activate a 'resolve maven coordinates for a jar's SHA-hash' by way of CentralAnalyzer (using Maven's Central Search; enabled by default) or one of its on-prem-enterprise-mirror-repository alternatives: NexusAnalyzer / ArtifactoryAnalyzer.

Without any of those you should expect a lot of false-positives to appear that have been properly dealt with in built-in suppression functions.

When I run the CLI on the apache-el-11 jar-file of the jetty project as published on maven central (pkg:maven/org.mortbay.jasper/apache-el@11.0.0) it gets the package-url properly associated and reports no FP.

[vbode]

If I understand correctly, the CentralAnalyzer is enabled by default. I checked our config, and we do not disable that.
These are the arguments we use when scanning:
--nvd-api-key [MASKED] -- --format=HTML --format=JSON --dbDriverName=com.microsoft.sqlserver.jdbc.SQLServerDriver --connectionString=jdbc:sqlserver://[MASKED];database=[MASKED];encrypt=False --dbUser=[MASKED] --dbPassword=[MASKED] --noupdate --hostedSuppressionsForceUpdate --disableAssembly --disableNodeJS --disableYarnAudit --ossIndexUsername=[MASKED] --ossIndexPassword=[MASKED] --nodeAuditSkipDevDependencies

This is how the package is detected in the report:

Should we try to configure the CentralAnalyzer anyway? We also use Nexus internally, would that work better?

[aikebah]

@vbode

Maven Central has:

sha-1 : 5f3f0d1b1141ef495270949bf8f044fa2f959522

Which means that it should have had a hit when searched for, but when I try to find it the way that ODC would try:

https://search.maven.org/solrsearch/select?q=1:5f3f0d1b1141ef495270949bf8f044fa2f959522&wt=xml

Central search claims that there are no hits, so that looks like a data-issue in Maven Central (legacy) search

Instead of using central analyzer that uses the Maven Central (legacy)search you could indeed also configure the Nexus analyzer, assuming that your Nexus instance among others hosts a proxy-mirror for maven central: Add --disableCentral --enableNexus and the configuration properties that start with --nexus to your scan command to do so.

[adam-siklosi]

Hi @aikebah

We have the same issue, in our case we do not have any on-prem infrastructure. So in this case the only thing we can do is to wait for the Maven Central data to be fixed right?

The configuration looks like this: --nvdApiKey [MASKED] --nvdMaxRetryCount 30 --nvdApiDelay 6500 --ossIndexRemoteErrorWarnOnly true --ossIndexUsername [MASKED] --ossIndexPassword [MASKED] --suppression ${projectDir}/owasp-suppress.xml --failOnCVSS 1 --disableRetireJS --data ${owaspDataDir} -f HTML -f XML -s .

Thanks!

[vbode]

Switching to our Nexus helped - thanks again @aikebah 👍
We configured the following URL for our nexus:
/rest/v1