Dependencycheck: False Positive on Kotlin
False positive on kotlin-stdlib-jdk8-1.4.0.jar (and a few other core kotlin 1.4.0 libraries) - reported as:
cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone1:*:*:*:*:*:*cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone2:*:*:*:*:*:*cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone3:*:*:*:*:*:*cpe:2.3:a:jetbrains:kotlin:1.4.0:rc:*:*:*:*:*:*
Last night, after a change that NIST made, the core Kotlin libraries started reporting as vulnerable to CVE-2020-15824 despite the advisory stating that 1.4.0 fixes the issue.
camelpunch
All 5 comments
This looks like the ones we just hit: dependency-check is getting confused by the versioning, and deciding that the rules that match the "milestone1" pre-release also apply to 1.4.0 (release).
Identifiers:
pkg:maven/org.jetbrains.kotlin/[email protected] (Confidence:Highest)
cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone1:*:*:*:*:*:* (Confidence:Highest) suppress
etc.
jamesrgrinter
on 15 Sep 2020
This is going to be a more interesting FP to resolve and will take code changes. I may not get to this right away - but what you can do is add a suppression for the CVE to your current scans.
jeremylong
on 3 Oct 2020
We just fell into this trap too and i'm guessing suppression is still the way forward here as updating to the latest components (1.4.20 at the time of writing) still produces the FP. Any news on the update on this @jeremylong?
timpharo
on 1 Dec 2020
Maybe you could you add an temporary entry to dependencycheck-base-hint.xml that filters this bug as it is apparently hard to fix?
lathspell
on 2 Feb 2021
Same issues with Kolin 1.4.30
kevcodez
on 4 Feb 2021
Related issues
gregory-lyons
路
21Comments
Vampire
路
15Comments
emartynov
路
24Comments
mark-senne
路
37Comments
binkley
路
21Comments
Most helpful comment
We just fell into this trap too and i'm guessing suppression is still the way forward here as updating to the latest components (1.4.20 at the time of writing) still produces the FP. Any news on the update on this @jeremylong?