[FP]: CVE-2022-32158

[Subrhamanya]

Package URl

pkg:maven/com.splunk.logging/splunk-library-javalogging@1.11.8

CPE

cpe:2.3:a:splunk:splunk:1.11.8:*:*:*:*:*:*:*

CVE

CVE-2022-32158

ODC Integration

{"label" => "Maven Plugin"}

ODC Version

12.1.5

Description

This CVE affects splunk enterprise deployment server, and those jars are totally different than splunk-library-java-logging according to splunk security advisory

[github-actions]

Maven Coordinates

<dependency>
   <groupId>com.splunk.logging</groupId>
   <artifactId>splunk-library-javalogging</artifactId>
   <version>1.11.8</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #8020
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.splunk\.logging/splunk-library-javalogging@.*$</packageUrl>
   <cpe>cpe:/a:splunk:splunk</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/18378810497

[chadlwilson]

Approved

[github-actions]

Suppress already exists in generatedSuppressions branch. See issue #7339.

[chadlwilson]

Why are you raising the same issue again that you've already raised and had addressed?

You should check that your hosted suppressions file is syncing properly in your environment - otherwise you will not benefit from any of these suppressions.