[FP]: Incorrect CVE Detection – CVE-2010-4647

[MohammedSuhaibT]

Package URl

pkg:maven/org.eclipse.angus/angus-activation@2.0.2

CPE

cpe:2.3:a:eclipse:eclipse_ide::::::::

CVE

CVE-2010-4647

ODC Integration

None

ODC Version

12.1.3

Description

CVE-2010-4647 describes XSS vulnerabilities in the Help Server of Eclipse IDE versions before 3.6.2, affecting JSP pages such as help/index.jsp and help/advanced/content.jsp.

Our Application does not use the Eclipse IDE or its Help Server components.
The flagged dependency (angus-activation.jar 2.0.2) is unrelated and not impacted.
The application uses modern JAXB and activation libraries only, which are not vulnerable.

This is a false positive due to incorrect association of the CVE with the scanned jar.

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.eclipse.angus</groupId>
   <artifactId>angus-activation</artifactId>
   <version>2.0.2</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #8174
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.eclipse\.angus/angus-activation@.*$</packageUrl>
   <cpe>cpe:/a:eclipse:eclipse_ide</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/19921992300

[chadlwilson]

There is already an existing suppression for this.

If it's not working in your case it means your scans are not correctly matching jar dependencies to maven coordinates and you need to address this in your environment.

Also, your ODC is outdated.