[FP]: CVE-2022-29523

[arunkumarthangavel]

Package URl

pkg:maven/org.bouncycastle/bcpg-jdk15on@1.70

CPE

cpe:2.3:a:open_cas_project:open_cas:1.70:::::::*

CVE

CVE-2022-29523

ODC Integration

None

ODC Version

8.1.2

Description

The CVE description says "Improper conditions check in the Open CAS software maintained by Intel(R) before version 22.3.1 may allow an authenticated user to potentially enable denial of service via local access." but bouncycastle is getting added to the report as vulnerable.

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.bouncycastle</groupId>
   <artifactId>bcpg-jdk15on</artifactId>
   <version>1.70</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5577
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcpg-jdk15on@.*$</packageUrl>
   <cpe>cpe:/a:open_cas_project:open_cas</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/4488669135

[aikebah]

Cannot reproduce your findings. Both the automated evaluation in Github as well as a local maven- and CLI attempt do not surface this FP.

[SScherz]

I only encountered the issue when using the Gradle plugin. CLI and ant did not produce this FP.