PostgreSQL JDBC false positive: version ranges misread

[mirabilos]

False positive on PostgreSQL JDBC - reported as:

postgresql-42.2.5.jar (org.postgresql:postgresql:42.2.5, cpe:/a:postgresql:postgresql:42.2.5, cpe:/a:postgresql:postgresql_jdbc_driver:42.2.5) : CVE-2018-1115

<dependency>
	<groupId>org.postgresql</groupId>
	<artifactId>postgresql</artifactId>
	<version>42.2.5</version>
</dependency>

CVE-2018-1115 affects PostgreSQL “before versions 10.4, 9.6.9” (and then only the admin pack), but 42.2.5 is definitely higher than 10.4 so it should not fire at all!

So, there’s ① a bug in the version matching (or the NVE data) and ② the JDBC should only be affected by JDBC bugs, not database bugs, if possible (probably outside the scope of your plugin, but you’d know better whom to report this issue to, especially as there is already a cpe for the JDBC, as far as I can see above).

[mprins]

You've failed to give us the version you are using, however this appears to have been fixed for some time now, see 9bc315c

[mirabilos]

Mark Prins dixit:

You've failed to give us the version you are using, however this

<plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>3.2.1</version> <executions> <execution> <goals> <goal>aggregate</goal> </goals> <configuration> <failBuildOnCVSS>8</failBuildOnCVSS> <skipArtifactType>pom</skipArtifactType> <suppressionFiles> <suppressionFile>release/dependency-check-suppressions.xml</suppressionFile> </suppressionFiles> </configuration> </execution> </executions> </plugin>

appears to have been fixed for some time now, see 9bc315c

Will have a look.

[mirabilos]

Hm, I see, so upgrading the plugin to 3.3.1 will likely fix that?

[mirabilos]

Yup, fixed. Thanks, and sorry for the noise.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.