-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PostgreSQL JDBC false positive: version ranges misread #1488
Comments
You've failed to give us the version you are using, however this appears to have been fixed for some time now, see 9bc315c |
Mark Prins dixit:
You've failed to give us the version you are using, however this
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>3.2.1</version>
<executions>
<execution>
<goals>
<goal>aggregate</goal>
</goals>
<configuration>
<failBuildOnCVSS>8</failBuildOnCVSS>
<skipArtifactType>pom</skipArtifactType>
<suppressionFiles>
<suppressionFile>release/dependency-check-suppressions.xml</suppressionFile>
</suppressionFiles>
</configuration>
</execution>
</executions>
</plugin>
appears to have been fixed for some time now, see
9bc315c
Will have a look.
|
Hm, I see, so upgrading the plugin to 3.3.1 will likely fix that? |
Yup, fixed. Thanks, and sorry for the noise. |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
False positive on PostgreSQL JDBC - reported as:
CVE-2018-1115 affects PostgreSQL “before versions 10.4, 9.6.9” (and then only the admin pack), but 42.2.5 is definitely higher than 10.4 so it should not fire at all!
So, there’s ① a bug in the version matching (or the NVE data) and ② the JDBC should only be affected by JDBC bugs, not database bugs, if possible (probably outside the scope of your plugin, but you’d know better whom to report this issue to, especially as there is already a cpe for the JDBC, as far as I can see above).
The text was updated successfully, but these errors were encountered: