[FP]: False positive findings in Dependency Checker for Logback

[va699]

Package URl

pkg:maven/ch.qos.logback/logback-core@1.2.13

CPE

cpe:2.3:a:qos:logback:1.0.15.56:::::::*

CVE

CVE-2017-5929

ODC Integration

{"label" => "Docker"}

ODC Version

12.1.0

Description

CVE-2017-5929 is erroneously reported for the product. Product is using logback version 1.2.13 and CVE could only impact wehre version < 1.2.0

[github-actions]

Maven Coordinates

<dependency>
   <groupId>ch.qos.logback</groupId>
   <artifactId>logback-core</artifactId>
   <version>1.2.13</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7873
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback-core@.*$</packageUrl>
   <cpe>cpe:/a:qos:logback</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/17061462253

[aikebah]

The FP you mention is not reproducable. The only CVEs reported are two CVEs returned by OSSIndex for logback-core 1.2.13: CVE-2024-12798 and CVE-2024-12801