[FP]: CVE-2023-36414, CVE-2023-36415 on com.azure azure-identity-extensions
eliasmueller opened this issue · comments
Package URl
pkg:maven/com.azure/azure-identity-extensions@1.1.13
CPE
cpe:2.3:a:microsoft:azure_cli:1.1.13:*:*:*:*:*:*:*
, cpe:2.3:a:microsoft:azure_identity_sdk:1.1.13:*:*:*:*:*:*:*
, cpe:2.3:a:microsoft:azure_sdk_for_java:1.1.13:*:*:*:*:*:*:*
CVE
CVE-2023-36414, CVE-2023-36415
ODC Integration
{"label"=>"Maven Plugin"}
ODC Version
9.0.9
Description
Based on my understanding and what the Microsoft reports show, those vulnerabilities are limited to the azure-identity library patched in version 1.10.2, and not part of the azure-identity-extensions library, which references 1.11.1:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36414
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36415
Therefore, I assume this to be a false positive.
Maven Coordinates
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity-extensions</artifactId>
<version>1.1.13</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #6491
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure-identity-extensions@.*$</packageUrl>
<cpe>cpe:/a:microsoft:azure_cli</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/8076844697
Maven Coordinates
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity-extensions</artifactId>
<version>1.1.13</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #6491
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure-identity-extensions@.*$</packageUrl>
<cpe>cpe:/a:microsoft:azure_cli</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/8078200830