[FP]: org.tukaani:xz:1.9 #6925
Comments
|
Maven Coordinates <dependency>
<groupId>org.tukaani</groupId>
<artifactId>xz</artifactId>
<version>1.9</version>
</dependency>Suppression rule: <suppress base="true">
<notes><![CDATA[
FP per issue #6925
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.tukaani/xz@.*$</packageUrl>
<cpe>cpe:/a:tukaani:xz</cpe>
</suppress>Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10575102244 |
|
approved being a separate project with separate versioning NVD would allocate a separate CPE for the xz-java project |
|
Suppress rule has been added to the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Package URl
pkg:maven/org.tukaani/[email protected]
CPE
cpe:2.3:a:tukaani:xz::::::::
CVE
CVE-2022-1271
ODC Integration
{"label"=>"Ant Task"}
ODC Version
10.0.1
Description
This seems to be the same issue as #1668, where the CPE is so general that it matches the Java library as well, despite the fact that it is purely an impl of the XZ compression. It does not implement or use (x)zgrep and therefore is not vulnerable to the filename validation problem mentioned in the CVE.
The text was updated successfully, but these errors were encountered: