[FP]: CVE-2018-11788 on cxf-karaf-commands-3.6.9

[prabutdr]

Package URl

pkg:maven/org.apache.cxf.karaf/cxf-karaf-commands@3.6.9

CPE

cpe:2.3:a:apache:karaf:::::::: versions up to (excluding) 4.1.7

CVE

CVE-2018-11788

ODC Integration

None

ODC Version

12.2.0

Description

This CVE-2018-11788 impacts only on "apache:karaf" packages as per cpe provided by NVD. But tool is reporting CVE-2018-11788 on "org.apache.cxf.karaf/cxf-karaf-commands" jars as well, this is all together different package, which is wrong.

From Dependency Check tool team, we need confirmation on these false positives. Could you please validate and confirm?

[github-actions]

Maven Coordinates

<dependency>
  <groupId>org.apache.cxf.karaf</groupId>
  <artifactId>cxf-karaf-commands</artifactId>
  <version>3.6.9</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8339
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.cxf\.karaf/cxf-karaf-commands@.*$</packageUrl>
    <cpe>cpe:/a:apache:karaf</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/22705430152

[chadlwilson]

Approved

[github-actions]

Suppress rule has been added to the generatedSuppressions branch.

[chadlwilson]

@prabutdr you only need to open one report per package and CPE combination in future (not per CVE)