[FP]: Incorrect CVE detection for CVE‑2023‑4218

[MohammedSuhaibT]

Package URl

pkg:maven/org.eclipse.angus/angus-activation@2.0.2

CPE

cpe:2.3:a:eclipse:eclipse_ide::::::::

CVE

CVE‑2023‑4218

ODC Integration

None

ODC Version

12.1.3

Description

Dependency Check flagged CVE‑2023‑4218, which affects Eclipse IDE (< 2023‑09 / 4.29) XML parsing:
Files with XML content may be vulnerable to XXE attacks if a user opens or updates a malicious project.
CWE‑611: Improper Restriction of XML External Entity Reference
CVSSv3 Base Score: 5.0 (Medium)

Analysis:
The Application does not use Eclipse IDE or its components.
Only secure versions of:
jaxb-core.jar (4.0.5)
angus-activation.jar (2.0.2)
are present.

Therefore, this alert is a false positive.

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.eclipse.angus</groupId>
   <artifactId>angus-activation</artifactId>
   <version>2.0.2</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #8173
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.eclipse\.angus/angus-activation@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:eclipse_ide</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/19921795162

[chadlwilson]

Don't need to create a new issue for every CVE, only the package and CPE combination.