[FP]: CVE-2019-25087, which applies to a C++ project, is being flagged on any dependency with substrings httpserver, http-server or http_server in the name

[volkert-fastned]

Package URl

pkg:maven/io.micronaut/[email protected]

CPE

cpe:2.3:a:http_server_project:http_server:4.4.8:*:*:*:*:*:*:*

CVE

CVE-2019-25087

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

10.0.3

Description

CVE-2019-25087 applies to a project called RamseyK httpserver, which is a C++ project. But the CPE seems to flag any dependency that appears to have the substring http server in the name, or httpserver, http-server, http_server, etc.

Yet another example of a language/platform mismatch and a CPE pattern being applied too broadly. @OrangeDog FYI

[github-actions]

Maven Coordinates

<dependency>
   <groupId>io.micronaut</groupId>
   <artifactId>micronaut-http-server-netty</artifactId>
   <version>4.4.8</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6870
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.micronaut/micronaut-http-server-netty@.*$</packageUrl>
   <cpe>cpe:/a:http_server_project:http_server</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10059812343

[github-actions]

Maven Coordinates

<dependency>
   <groupId>io.micronaut</groupId>
   <artifactId>micronaut-http-server-netty</artifactId>
   <version>4.4.8</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6870
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.micronaut/micronaut-http-server-netty@.*$</packageUrl>
   <cpe>cpe:/a:http_server_project:http_server</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10059838681

[github-actions]

Maven Coordinates

<dependency>
   <groupId>io.micronaut</groupId>
   <artifactId>micronaut-http-server-netty</artifactId>
   <version>4.4.8</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6870
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/io\.micronaut/micronaut-http-server-netty@.*$</packageUrl>
   <cpe>cpe:/a:http_server_project:http_server</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10059832457

[OrangeDog]

Yet another example of a language/platform mismatch and a CPE pattern being applied too broadly. @OrangeDog FYI

No it isn't. The CPE says *.

Also, please don't tag me in issues I'm not involved with.

[volkert-fastned]

My apologies. I was a bit too much "on autopilot" while opening all these FPs, while switching back and forth with other tasks.

But even though the CPE didn't set a specific language here, it still appears to only apply to a non-Java project. So it would appear that the CPE was defined too broadly. If the native C++ code were somehow a transitive dependency of any of the flagged dependencies, the plugin would have specifically pointed to the pkg of that subdependency, wouldn't it?

[OrangeDog]

it still appears to only apply to a non-Java project

There's no way for any tool to know that, because it's not encoded in the CPE. That is the usual case for projects that do not have versions in multiple languages.

[aikebah]

@volkert-fastned tried reproducing locally with a gradle project and gradle plugin, but my local environment appears to agree with our maven-based bot automation report in that the false-positive you mention is not showing up for implementation("io.micronaut", "micronaut-http-server-netty", "4.4.8")

[nhumblot]

Closing as unable to reproduce and no additional information from the author.