Dependencycheck: False Positive on java/jboss-websocket-api jboss-websocket-api_1.1_spec-1.1.4.Final.jar

Created on 13 May 2020  路  2Comments  路  Source: jeremylong/DependencyCheck

There is a false positive being reported against the javax websocket APIs that pertains to an unrelated specific implementation only:

jboss-websocket-api_1.1_spec-1.1.4.Final.jar
cpe:2.3:a:java-websocket_project:java-websocket:1.1.4:*:*:*:*:*:*:*
pkg:maven/org.jboss.spec.javax.websocket/[email protected]

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11050 pertains to https://github.com/TooTallNate/Java-WebSocket which has nothing to do with the javax websocket API spec (and I don't think even implements that spec)?

FP Report
Source
picture chadlwilson
👍1

Most helpful comment

I'm seeing a similar issue for a different library too:
jakarta.websocket-api-1.1.2.jar (pkg:maven/jakarta.websocket/[email protected], cpe:2.3:a:java-websocket_project:java-websocket:1.1.2:*:*:*:*:*:*:*) : CVE-2020-11050

picture siladu on 13 May 2020
👍3

All 2 comments

Seeing the same report https://github.com/TooTallNate/Java-WebSocket/issues/1019

At the moment in process of getting in touch with github.
If a maintainer reads this, please send me a mail and we try to solve this!

Best regards,
Marcel

marci4 picture marci4 on 13 May 2020
👍3

I'm seeing a similar issue for a different library too:
jakarta.websocket-api-1.1.2.jar (pkg:maven/jakarta.websocket/[email protected], cpe:2.3:a:java-websocket_project:java-websocket:1.1.2:*:*:*:*:*:*:*) : CVE-2020-11050

siladu picture siladu on 13 May 2020
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gregory-lyons picture gregory-lyons  路  21Comments
Jayaramvenkat picture Jayaramvenkat  路  19Comments
prabhu picture prabhu  路  37Comments
razeitona picture razeitona  路  15Comments
maartengo picture maartengo  路  23Comments