[FP]: commons-beanutils-core for cve-2014-0114

[kaniskavarsini]

Package URl

pkg:maven/commons-beanutils/commons-beanutils-core@1.8.0

CPE

cpe:2.3:a:apache:commons_beanutils:1.8.0:::::::*

CVE

No response

ODC Integration

None

ODC Version

12.2.2

Description

The vulnerable artifact is commons-beanutils and its cpe contains commons_beanutils. But it is reported for commons-beanutils-core which is a different artifact. The scanner misidentified this artifact as vulnerable.

[github-actions]

Maven Coordinates

<dependency>
  <groupId>commons-beanutils</groupId>
  <artifactId>commons-beanutils-core</artifactId>
  <version>1.8.0</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8594
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/commons-beanutils/commons-beanutils-core@.*$</packageUrl>
    <cpe regex="true">cpe:/a:apache:commons_beanutils(:.*)?$</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/27367915036

[chadlwilson]

commons-beanutils-core is basically the same thing as commons-beanutils; jsut a deprecated old version where BeanMap was excluded. Not a false positive.