[FP]: Jetty false positive findings #7857
Description
Package URl
org.eclipse.equinox.http.jetty-3.7.600-v20210224-2143.jar
CPE
cpe:2.3:a:eclipse:jetty:3.7.600:20210224::::::
CVE
ODC Integration
{"label" => "Docker"}
ODC Version
12.1.3
Description
Multiple false positive vulnerabilities are getting reported by dependency checker by reading org.eclipse.equinox.http.jetty-3.7.600-v20210224-2143.jar file and assuming that jetty version is "jetty-3.7.600-v20210224-2143" and
reporting all the vulnerabilities open on jetty 3.x version.
I have mentioned only one CVE in the ticket. Since there are numerous CVE's and these CVEs are identical and are reported for Jetty only. filing multiple reports is time consuming, so below i have mentioned the complete CVE's and the justification for them being False positive. Please consider the same.
CVE IDs
GHSA-84q7-p226-4x5w
GHSA-vgg8-72f2-qm23
GHSA-6x9x-8qw9-9pp6
GHSA-xcf5-966v-cjjm
GHSA-wfcc-pff6-rgc5
GHSA-wgmr-mf83-7x4j
GHSA-g3wg-6mcf-8jj6
GHSA-c5fh-3q27-g4r5
GHSA-qppj-fm5r-hxr3
GHSA-x7cv-v7gm-9r2x
GHSA-gwcr-j4wh-j3cq
GHSA-qw69-rqj8-6qw8
GHSA-p26g-97m4-6q7c
GHSA-m6cp-vxjx-65j6
GHSA-cj7v-27pg-wf7q
File Path: org.eclipse.equinox.http.jetty-3.7.600-v20210224-2143.jar
cpe:2.3:a:eclipse:equinox:3.7.600:20210224::::::
cpe:2.3:a:eclipse:jetty:3.7.600:20210224::::::
cpe:2.3:a:jetty:jetty:3.7.600:20210224::::::
False Positive Justification:
In Eclipse equinox, we are using jetty version 9.x where these vulnerabilities are already fixed.
Although in eclipse equinox, dependency checker is identifying Jetty version 3.7.600 which is incorrect.
Hence these vulnerabilities are considered as false positive.