[FP]: kotlin-stdlib-jdk7-1.9.25 (CVE-2020-29582)

[cor3000]

Package URl

pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.25

CPE

cpe:2.3:a:jetbrains:kotlin:1.9.25:::::::*

CVE

CVE-2020-29582

ODC Integration

{"label" => "Maven Plugin"}

ODC Version

12.2.0

Description

https://nvd.nist.gov/vuln/detail/CVE-2020-29582 the change history indicates a change last week affecting the kotlin version while adding a link to apache kafka ... I could imagine the updater meant to add a CPE to kafka version 2.1.0 and not change the kotlin version from 1.4.21 to 2.1.0

at the same time the generated XML snippets to suppress the FP don't seem to have any effect and the build keeps breaking reporting the same issue

[ERROR] kotlin-stdlib-1.9.25.jar (pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.25, cpe:2.3:a:jetbrains:kotlin:1.9.25:*:*:*:*:*:*:*): CVE-2020-29582(5.3)

neither of the 2 snippetsw below suppresses the FP(?)

<suppress>
   <notes><![CDATA[
   file name: kotlin-stdlib-1.9.25.jar
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin-stdlib@.*$</packageUrl>
   <cve>CVE-2020-29582</cve>
</suppress>

<suppress>
   <notes><![CDATA[
   file name: kotlin-stdlib-1.9.25.jar
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin-stdlib@.*$</packageUrl>
   <cpe>cpe:/a:jetbrains:kotlin</cpe>
</suppress>

[github-actions]

Maven Coordinates

<dependency>
  <groupId>org.jetbrains.kotlin</groupId>
  <artifactId>kotlin-stdlib</artifactId>
  <version>1.9.25</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8343
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin-stdlib@.*$</packageUrl>
    <cpe>cpe:/a:jetbrains:kotlin</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/22718872103

[chadlwilson]

The actual FP will need to be addressed with NVD. We do not fix issues with upstream data sources on their behalf. That would be completely unsustainable - data must be fixed at source.

As for the suppression issues, it's better not to conflate two separate things into one issue as it's confusing - but.please provide a way to replicate your problem. Are you sure your suppression file is configured and being used correctly?

[cor3000]

I agree, and contacted NVD directly. I'll try to reproduce the issue outside our project and post a dedicated issue in case it's still relevant in a few days.

[chadlwilson]

Ok. Suppressions shouldn't be complex to get working though.

[cor3000]

my bad, I hadn't spotted the subtle differences earlier. In the end several similar sounding packages had to be suppressed to silence the output.
So everything works as expected with the rule below.

    <suppress>
        <notes><![CDATA[
            Suppress false positive for kotlin-* jars
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin-(common|stdlib-common|stdlib|reflect|stdlib-jdk7|stdlib-jdk8)@.*$</packageUrl>
        <cve>CVE-2020-29582</cve>
    </suppress>