[FP]: Very old CVE-2016-3088 detected for Apache ActiveMQ 5.17.0
Gouri-19 opened this issue · comments
Package URl
pkg:maven/xx-activemq-log-plugin@2.112.2
CPE
cpe:2.3:a:apache:activemq:2.112.2:::::::*
CVE
ODC Integration
None
ODC Version
8.4.3
Description
The CVE-2016-3088 was detected and reported by Owasp Dependency Check scan for Aapche ActiveMQ 5.17.0. The vulnerability description clearly states that the vulnerability exists in Apache ActiveMQ 5.x before 5.14.0. This is because, in the application code, xx-activemq-log-plugin takes the version as the project version. The Owasp Dependency report is picking and detecting it as ActiveMQ version and reporting the CVE in the scan report. Therefore, it is a false positive.
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/7933147646
Opening separate FP per CVE for improper CPE assignment is not needed. Closing as a duplicate of #6474