[FP]: Quarkus mariadb for CVE-2015-2325

[kaniskavarsini]

Package URl

pkg:maven/io.quarkus/quarkus-jdbc-mariadb-deployment@3.15.4

CPE

cpe:2.3:a:mariadb:mariadb:3.15.4:::::::*

CVE

No response

ODC Integration

None

ODC Version

12.2.2

Description

CVE-2015-2325 is flagged with CPE cpe:2.3:a:mariadb:mariadb::::::::, which refers to the MariaDB database server itself.
Actual component uses pkg:maven/io.quarkus/quarkus-jdbc-mariadb-deployment@3.15.4, which is a Quarkus build-time deployment module bundles into keycloak jar by default, not the MariaDB server product.

[github-actions]

Maven Coordinates

<dependency>
  <groupId>io.quarkus</groupId>
  <artifactId>quarkus-jdbc-mariadb-deployment</artifactId>
  <version>3.15.4</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8598
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/io\.quarkus/quarkus-jdbc-mariadb-deployment@.*$</packageUrl>
    <cpe regex="true">cpe:/a:mariadb:mariadb(:.*)?$</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/27368773616

[chadlwilson]

approved

[github-actions]

Suppress rule has been added to the generatedSuppressions branch.