Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FP]: CVE-2024-34447 for bcprov-jdk15on-1.60.jar #6659

Closed
adam-siklosi opened this issue May 9, 2024 · 5 comments
Closed

[FP]: CVE-2024-34447 for bcprov-jdk15on-1.60.jar #6659

adam-siklosi opened this issue May 9, 2024 · 5 comments
Labels
FP Report maven changes to the maven plugin

Comments

@adam-siklosi
Copy link

adam-siklosi commented May 9, 2024
edited

Package URl

pkg:maven/org.bouncycastle/bcprov-jdk15on@1.60

CPE

cpe:2.3:a:org.bouncycastle:bcprov-jdk15on:1.60:::::::*

CVE

CVE-2024-34447

ODC Integration

None

ODC Version

9.1.0

Description

org.bouncycastle.jsse packages are shipped in org.bouncycastle:bctls-jdk15on
See https://github.com/bcgit/bc-java/blob/r1v60/tls/build.gradle

Probably this can be generalized to newer versions
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 9, 2024

Maven Coordinates

<dependency>
   <groupId>org.bouncycastle</groupId>
   <artifactId>bcpkix-jdk15on</artifactId>
   <version>1.60</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6659
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcpkix-jdk15on@.*$</packageUrl>
   <cpe>cpe:/a:bouncycastle:bouncy_castle_for_java</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9015590632

@github-actions github-actions bot added the maven changes to the maven plugin label May 9, 2024
@adam-siklosi adam-siklosi changed the title [FP]: CVE-2024-34447 for bcpkix-jdk15on-1.60.jar [FP]: CVE-2024-34447 for bcprov-jdk15on-1.60.jar May 9, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 9, 2024

Maven Coordinates

<dependency>
   <groupId>org.bouncycastle</groupId>
   <artifactId>bcpkix-jdk15on</artifactId>
   <version>1.60</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6659
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcpkix-jdk15on@.*$</packageUrl>
   <cpe>cpe:/a:bouncycastle:bouncy_castle_for_java</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9015605859

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 9, 2024

Maven Coordinates

<dependency>
   <groupId>org.bouncycastle</groupId>
   <artifactId>bcprov-jdk15on</artifactId>
   <version>1.60</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6659
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcprov-jdk15on@.*$</packageUrl>
   <cpe>cpe:/a:org.bouncycastle:bcprov-jdk15on</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9015617431

@adam-siklosi
Copy link
Author

Probably the CPE is wrong in NVD?

@OrangeDog
Copy link

OrangeDog commented May 9, 2024
edited

All the data says the issue is in bcprov, not bctls. It's not a dependency-check issue.

@adam-siklosi adam-siklosi closed this as not planned Won't fix, can't repro, duplicate, stale May 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FP Report maven changes to the maven plugin
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@OrangeDog @adam-siklosi