[FP]: The scanner flags older CVEs in fixed camel version 3.22.4

[er-balaji]

Package URl

pkg:maven/org.apache.camel/camel-core@3.22.4

CPE

cpe:2.3:a:apache:camel:3.22.4:::::::*

CVE

CVE-2024-22369, CVE-2024-23114, CVE-2025-27636

ODC Integration

None

ODC Version

12.2.1

Description

The scanner flags Apache Camel 3.22.4 for these CVEs, but all three were fixed in versions ≤3.22.4:

• CVE-2024-22369: Fixed in Camel 3.22.1 (camel-core deserialization)
• CVE-2024-23114: Fixed in Camel 3.22.1 (camel-cassandraql — also not deployed)
• CVE-2025-27636: Fixed in Camel 3.22.4 (header filter bypass)

Scanner does not correctly evaluate fix version boundaries.

[github-actions]

Maven Coordinates

<dependency>
  <groupId>org.apache.camel</groupId>
  <artifactId>camel-core</artifactId>
  <version>3.22.4</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8589
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.camel/camel-core@.*$</packageUrl>
    <cpe regex="true">cpe:/a:apache:camel(:.*)?$</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/27365584058

[chadlwilson]

There are only 2026 vulns turning up for this camel version in the tests here, which all look legitimate.

You haven't filled in the dependency check version correctly. Please take care to supply information accurately to avoid wasting time.

Check you are running latest version and/or share a report please.

[github-actions]

Maven Coordinates

<dependency>
  <groupId>org.apache.camel</groupId>
  <artifactId>camel-core</artifactId>
  <version>3.22.4</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8589
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.camel/camel-core@.*$</packageUrl>
    <cpe regex="true">cpe:/a:apache:camel(:.*)?$</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/27366783686

[chadlwilson]

Will re-open if an ODC report with the evidence section can be supplied to demonstrate this false positive.