[FP]: Very old CVE-2016-3088 detected for Apache ActiveMQ 5.17.0

Question

[FP]: Very old CVE-2016-3088 detected for Apache ActiveMQ 5.17.0

Gouri-19 opened this issue 3 months ago · comments

Gouri Paritala commented 3 months ago

Package URl

pkg:maven/xx-activemq-log-plugin@2.112.2

CPE

cpe:2.3:a:apache:activemq:2.112.2:::::::*

CVE

CVE-2016-3088

ODC Integration

None

ODC Version

8.4.3

Description

The CVE-2016-3088 was detected and reported by Owasp Dependency Check scan for Aapche ActiveMQ 5.17.0. The vulnerability description clearly states that the vulnerability exists in Apache ActiveMQ 5.x before 5.14.0. This is because, in the application code, xx-activemq-log-plugin takes the version as the project version. The Owasp Dependency report is picking and detecting it as ActiveMQ version and reporting the CVE in the scan report. Therefore, it is a false positive.

github-actions · Answer 1 · Sat Feb 17 2024 00:06:47 GMT+0800 (China Standard Time)

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/7933147646

Hans Aikema · Answer 2 · Fri Feb 23 2024 02:54:30 GMT+0800 (China Standard Time)

Opening separate FP per CVE for improper CPE assignment is not needed. Closing as a duplicate of #6474