[FP]: CVE-2019-10782 and CVE-2019-9658 on ktlint-cli-reporter-checkstyle

[aleyipsoftwire]

Package URl

pkg:maven/com.pinterest.ktlint/ktlint-cli-reporter-checkstyle@1.6.0

CPE

cpe:2.3:a:checkstyle:checkstyle:1.6.0:*:*:*:*:*:*:*

CVE

CVE-2019-10782, CVE-2019-9658

ODC Integration

{"label" => "Gradle Plugin"}

ODC Version

12.1.7

Description

I believe this is nearly identical to #4344, that was a report for ktlint-reporter-checkstyle and this is a report for ktlint-cli-reporter-checkstyle (note cli). That FP was was suppressed in #4365.

Version 1.6.0 is used above, but the same occurs with 1.5.0 and probably other versions.

TIA!

[github-actions]

Maven Coordinates

<dependency>
   <groupId>com.pinterest.ktlint</groupId>
   <artifactId>ktlint-cli-reporter-checkstyle</artifactId>
   <version>1.6.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #8040
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.pinterest\.ktlint/ktlint-cli-reporter-checkstyle@.*$</packageUrl>
   <cpe>cpe:/a:checkstyle:checkstyle</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/18468793151

[chadlwilson]

Approved.

While the FP is valid on its own, the root cause of you seeing this now is probably dependency-check/dependency-check-gradle#479 (comment) (unless you specifically had scanBuildEnv = true enabled before upgrade to 12.1.7 - it has accidentally enabled itself by default in 12.1.7)

[github-actions]

Suppress rule has been added to the generatedSuppressions branch.