Skip to content

FP for CVE-2016-3720 on non-affected Jackson version #535

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
asieira opened this issue Aug 3, 2016 · 5 comments
Closed

FP for CVE-2016-3720 on non-affected Jackson version #535

asieira opened this issue Aug 3, 2016 · 5 comments

Comments

@asieira
Copy link

asieira commented Aug 3, 2016
edited
Loading

This is related to the same vulnerability and package as jeremylong/DependencyCheck#517 but is not exactly the same problem.

I have all the Jackson dependencies at version 2.7.6, which according to the NVD entry and CPE is not affected by the vulnerability. Still, I'm getting the following output on my check dependencies log:

One or more dependencies were identified with known vulnerabilities in <redacted>:

jackson-core-2.7.6.jar (com.fasterxml.jackson.core:jackson-core:2.7.6, cpe:/a:fasterxml:jackson:2.7.6) : CVE-2016-3720

These are the dependencies that triggered this:

        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-databind</artifactId>
            <version>2.7.6</version>
        </dependency>
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-annotations</artifactId>
            <version>2.7.6</version>
        </dependency>
        <dependency>
            <groupId>com.fasterxml.jackson.dataformat</groupId>
            <artifactId>jackson-dataformat-cbor</artifactId>
            <version>2.7.6</version>
        </dependency>
@asieira asieira mentioned this issue Aug 3, 2016
Closed
@jeremylong
Copy link
Collaborator

What version of dependency-check are you using? I just tested these three dependencies (with the current snapshot) and they were not flagged as vulnerable.

@asieira
Copy link
Author

asieira commented Aug 22, 2016 

                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>1.4.2</version>

@jeremylong
Copy link
Collaborator

Can you delete the dependency-check database and retest this? While there is a CPE match for jackson-core - no vulnerabilities are showing up (because we are using a safer version) when I run this exact same test with a fresh database. Just wondering if something got out of sync with the NVD.

@jeremylong
Copy link
Collaborator

Unable to reproduce. Additional fixes have been implemented around CVE-2016-3720.

@lock
Copy link

lock bot commented Sep 28, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Sep 28, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeremylong @asieira