[FP]: CVE-2022-37734 reported on java-dataloader-5.0.2

[juan-comesana-curity]

Package URl

pkg:maven/com.graphql-java/java-dataloader@5.0.2

CPE

cpe:2.3:a:graphql-java_project:graphql-java:5.0.2:::::::*

CVE

CVE-2022-37734

ODC Integration

{"label" => "Gradle Plugin"}

ODC Version

12.2.0

Description

This looks like a false positive. It only happens with version 12.2.0, at least from 12.1.6.

[github-actions]

Maven Coordinates

<dependency>
  <groupId>com.graphql-java</groupId>
  <artifactId>java-dataloader</artifactId>
  <version>5.0.2</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8387
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/com\.graphql-java/java-dataloader@.*$</packageUrl>
    <cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/23585304980

[chadlwilson]

The data loader is versioned independently of graphql itself, so approved.

Earlier versions of the gradle plugin were more likely to get false negative matches of artifacts, especially for ones built like Graphql which are built with Gradle itself (which is possibly why you didn't see it earlier).

[github-actions]

Suppress rule has been added to the generatedSuppressions branch.