[FP]: False positive for CVE-2019-3800 in solace-messaging-client

[profhenry]

Package URl

pkg:maven/com.solace/solace-messaging-client@1.8.0

CPE

cpe:2.3:a:solace:pubsub\+:1.8.0:*:*:*:*:*:*:*

CVE

CVE-2019-3800

ODC Integration

{"label" => "Maven Plugin"}

ODC Version

9.0.10

Description

CVE-2019-3800 affects Cloud Foundry for IBM Cloud Private not the Solace client lib

[github-actions]

Maven Coordinates

<dependency>
   <groupId>com.solace</groupId>
   <artifactId>solace-messaging-client</artifactId>
   <version>1.8.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7869
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/com\.solace/solace-messaging-client@.*$</packageUrl>
   <cpe>cpe:/a:solace:pubsub\+</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/16985702398

[Umesh042005]

@aikebah @profhenry @chadlwilson Can we use a hint to remove the pubsub+ CPE instead of a suppression? Since the library is Java and the CVE is for IBM Cloud, a hint seems better. What do you think?

[Umesh042005]

I'm happy to help fix this with a Hint/PR if you agree. Should I go ahead?

[chadlwilson]

I believe the problem here is that the CPE which the CVE is attached to has a variant pivotal_cloud_foundry which ODC does not support parsing (or handling within hints/suppressions I believe): cpe:2.3:a:solace:pubsub\+:*:*:*:*:*:pivotal_cloud_foundry:*:* - and NVD have matched it to this CPE.

There is probably no hint or suppression that will lead to the correct behaviour - unless it can be determined that none of the pubsub CPE variants should be matching the client library at all; for example if it has a separate CPE different to pubsub.

We generally only apply hints and suppressions where the rule would be valid to apply to an entire package and product combination; not targeted for individual CVEs and it's impossible to support over time.

[Umesh042005]

I get what you mean @chadlwilson . Instead of just hiding this one CVE, can we use a Hint to tell the tool that the Maven library "solace-messaging-client " is not the pubsub+ platform? This would fix the product identification for the whole package forever. What do you think?"

[chadlwilson]

Instead of just hiding this one CVE, can we use a Hint to tell the tool that the Maven library "solace-messaging-client " is not the pubsub+ platform?

Is that true,. though?

It requires investigation into how Solace is versioned, packaged and released.

If the client is part of the wider platform and versioned alongside it, any such change would be incorrect and lead to false negatives.