[FP]: prometheus-metrics-* packages are identified as prometheus server (CVE-2019-3826) #6686
Comments
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/9222420898 |
|
Error parsing package url: pkg:maven/io.prometheus/[email protected],. Error: Error: Invalid purl: version must be percent-encoded Please correct the package URL - consider copying the package url from the HTML report. |
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/9222454485 |
|
Maven Coordinates <dependency>
<groupId>io.prometheus</groupId>
<artifactId>prometheus-metrics-config</artifactId>
<version>1.2.1</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6686
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.prometheus/prometheus-metrics-config@.*$</packageUrl>
<cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9222469707 |
|
Error parsing package url: pkg:maven/io.prometheus/[email protected] Error: Error: Invalid purl: version must be percent-encoded Please correct the package URL - consider copying the package url from the HTML report. |
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/9222513263 |
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/9222543399 |
|
Maven Coordinates <dependency>
<groupId>io.prometheus</groupId>
<artifactId>prometheus-metrics-config</artifactId>
<version>1.2.1</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6686
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.prometheus/prometheus-metrics-config@.*$</packageUrl>
<cpe>cpe:/a:prometheus:prometheus</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9222601109 |
|
The suppression rule should be updated to something like |
Package URl
pkg:maven/io.prometheus/[email protected]
CPE
cpe:2.3:a:prometheus:prometheus:1.2.1:::::::*
CVE
CVE-2019-3826
ODC Integration
{"label"=>"Gradle Plugin"}
ODC Version
8.4.3
Description
prometheus-metrics-config-1.2.1.jar (pkg:maven/io.prometheus/[email protected], cpe:2.3:a:prometheus:prometheus:1.2.1:::::::) : CVE-2019-3826
prometheus-metrics-core-1.2.1.jar (pkg:maven/io.prometheus/[email protected], cpe:2.3:a:prometheus:prometheus:1.2.1:::::::) : CVE-2019-3826
prometheus-metrics-exposition-formats-1.2.1.jar (pkg:maven/io.prometheus/[email protected], cpe:2.3:a:prometheus:prometheus:1.2.1:::::::) : CVE-2019-3826
prometheus-metrics-model-1.2.1.jar (pkg:maven/io.prometheus/[email protected], cpe:2.3:a:prometheus:prometheus:1.2.1:::::::) : CVE-2019-3826
prometheus-metrics-shaded-protobuf-1.2.1.jar (pkg:maven/io.prometheus/[email protected], cpe:2.3:a:prometheus:prometheus:1.2.1:::::::, cpe:2.3:a:protobuf:protobuf:1.2.1:::::::) : CVE-2019-3826
prometheus-metrics-tracer-common-1.2.1.jar (pkg:maven/io.prometheus/[email protected], cpe:2.3:a:prometheus:prometheus:1.2.1:::::::*) : CVE-2019-3826
The text was updated successfully, but these errors were encountered: