You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description
False vulnerabilities from overridden dependencies are reported
Details
I have Jenkins service running on linux machine. Vulnerabilities are reported to be found in pom.xml files from unpacked jenkins.war on filesystem.
Let's say that in my build pom.xml I have dependency to plugin A, which has vulnerability present only from its dependency B. But in my build pom.xml I also define dependency B of newer version which overrides version coming from dependency A. And scans now report vulnerability in pom.xml of dependency A from older dependency B which is not actually used nor present in any form on filesystem. I also checked with OWASP maven dependency check, and vulnerability is not reported there.
For badge dependency are reported 6 vulnerabilities from its script-security dependency. However I override script-security with newer version which does not have vulnerabilities.
Vulnerabilities from script-security dependency are still reported to be found for badge dependency, e.g. in pom.xml on filesystem: home/user/.jenkins/plugins/badge/META-INF/maven/org.jenkins-ci.plugins/badge/pom.xml
Expected behavior
Vulnerabilities described in description are not reported.
Additional context
-agent version: 1.5.0-a455ac21-1683193637040523
-previously used agent version which did not report this vulnerabilities: 1.3.0-49a7d8a-1647345233150322
-maven is not installed on machine where agent runs scans
The text was updated successfully, but these errors were encountered:
beMonika
changed the title
Deepfence reports vulnerabilities from overriden dependencies
Deepfence reports vulnerabilities from overriden dependencies in pom.xml
Jul 27, 2023
Description
False vulnerabilities from overridden dependencies are reported
Details
I have Jenkins service running on linux machine. Vulnerabilities are reported to be found in pom.xml files from unpacked jenkins.war on filesystem.
Let's say that in my build pom.xml I have dependency to plugin A, which has vulnerability present only from its dependency B. But in my build pom.xml I also define dependency B of newer version which overrides version coming from dependency A. And scans now report vulnerability in pom.xml of dependency A from older dependency B which is not actually used nor present in any form on filesystem. I also checked with OWASP maven dependency check, and vulnerability is not reported there.
Example
<dependency> <groupId>org.jenkins-ci.plugins</groupId> <artifactId>badge</artifactId> <version>1.9.1</version> <type>hpi</type> </dependency> <dependency> <groupId>org.jenkins-ci.plugins</groupId> <artifactId>script-security</artifactId> <version>1244.ve463715a_f89c</version> <type>hpi</type> </dependency>
For badge dependency are reported 6 vulnerabilities from its script-security dependency. However I override script-security with newer version which does not have vulnerabilities.
Vulnerabilities from script-security dependency are still reported to be found for badge dependency, e.g. in pom.xml on filesystem: home/user/.jenkins/plugins/badge/META-INF/maven/org.jenkins-ci.plugins/badge/pom.xml
Expected behavior
Vulnerabilities described in description are not reported.
Additional context
-agent version: 1.5.0-a455ac21-1683193637040523
-previously used agent version which did not report this vulnerabilities: 1.3.0-49a7d8a-1647345233150322
-maven is not installed on machine where agent runs scans
The text was updated successfully, but these errors were encountered: