[FP]: False positive for CVE-2024-35255 in azure-identity

[rokoman13]

Package URl

pkg:maven/com.azure/azure-identity@1.12.2

CPE

cpe:2.3:a:microsoft:azure_identity_sdk::::::java::*

CVE

CVE-2024-35255

ODC Integration

None

ODC Version

10.0.4

Description

I see that vuln is actual for azure-identity (java) up to 1.12.2 (excluding), but my version is 1.12.2 and CVE is still in the report (also tried azure-identity 1.13.3, the same thing)

[github-actions]

Maven Coordinates

<dependency>
   <groupId>com.azure</groupId>
   <artifactId>azure-identity</artifactId>
   <version>1.12.2</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7000
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.azure/azure-identity@.*$</packageUrl>
   <cpe>cpe:/a:microsoft:azure_identity_sdk</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11101489749

[rokoman13]

@aikebah hello! could you check this FP report please?

[aikebah]

@rokoman13 The discriminator in the CPE that would allow to fix it (target_sw with the values java vs python vs javascript vs .net for this library) is currently not taken into account, so that the joined version ranges across the languages determines the versions reported as vulnerable.