CVE-2018-19360: executable affected-version evidence for dependency-check

[hypergalois]

CVE-2018-19360: executable affected-version evidence for dependency-check

Requested Check

Please review the attached executable affected-version evidence and decide whether the affected-version data, package namespace, or consumer interpretation should be updated or explicitly documented.

Grouped Route

• candidate: CVE-2018-19360
• route URL: https://github.com/dependency-check/DependencyCheck
• targets: dependency-check
• route kinds: consumer-tool
• priority: P0
• grouped queue rows: 1
• P0 rows in group: 1

Evidence Summary

• projection-loss versions: 3
• consumer false-negative versions: 3
• source-disagreement versions: 0
• report paths: external_validation_reports/CVE-2018-19360_external_validation_report.md

Target-Specific Packets

Target	Route kind	Priority	Reason	Body	SHA-256
dependency-check	consumer-tool	P0	consumer interpretation misses witness-vulnerable versions	external_validation_submissions/CVE-2018-19360__dependency-check.md	2ed6d87b917e70355c579dde3bb14408493439138a9681fb85bbbdecd92668bc

Reproduction

make cve-2018-19360
make interval-certificates topology-theorem order-sensitivity version-dags
make install-consumer-tools consumer-tools-all consumer-tools-dependency-check consumer-tools-gradle-cyclonedx
make public-prevalence case-certificates verify-certificates topology-aware validate-artifact

Full Packet Text

The target-specific packet bodies are included below so this grouped issue remains self-contained.

Packet: dependency-check / consumer-tool

CVE-2018-19360: executable affected-version evidence for dependency-check

Requested Check

Please review whether the affected-version data for this vulnerability should be updated, or whether the current exclusion is intentional and should be represented explicitly for downstream consumers.

Reason For Contact

• target: dependency-check
• route kind: consumer-tool
• reason: consumer interpretation misses witness-vulnerable versions
• report: external_validation_reports/CVE-2018-19360_external_validation_report.md

Executable Certificate

• candidate: CVE-2018-19360
• bitstring: 1111101010
• minimum interval cover: 3
• V-S-V witnesses: 2
• zero-error single intervals: 0
• full-recall false-positive lower bound: 2
• zero-false-positive false-negative lower bound: 2

Projection-Loss Coordinates

• com.fasterxml.jackson.core:jackson-databind:2.7.0-rc1
  • version: 2.7.0-rc1
  • claim projection decisions: GHSA:range_excluded;NVD:range_excluded
  • excluding sources: GHSA;NVD
  • detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches
• com.fasterxml.jackson.core:jackson-databind:2.7.0-rc2
  • version: 2.7.0-rc2
  • claim projection decisions: GHSA:range_excluded;NVD:range_excluded
  • excluding sources: GHSA;NVD
  • detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches
• com.fasterxml.jackson.core:jackson-databind:2.7.0-rc3
  • version: 2.7.0-rc3
  • claim projection decisions: GHSA:range_excluded;NVD:range_excluded
  • excluding sources: GHSA;NVD
  • detail: GHSA: version is outside all GHSA vulnerable ranges for the tested coordinate; NVD: version is outside all vulnerable NVD CPE matches

Consumer Observations

• dependabot-like-ghsa: rows=10, ok=10, false_negatives=3, false_positives=0
  • false-negative versions: 2.7.0-rc1, 2.7.0-rc2, 2.7.0-rc3
• dependency-check: rows=10, ok=10, false_negatives=7, false_positives=0
  • false-negative versions: 2.7.0, 2.7.0-rc1, 2.7.0-rc2, 2.7.0-rc3, 2.7.9.4, 2.8.11.2, 2.9.7
• deps-dev-api: rows=10, ok=10, false_negatives=3, false_positives=0
  • false-negative versions: 2.7.0-rc1, 2.7.0-rc2, 2.7.0-rc3
• ghsa-range-projection: rows=10, ok=10, false_negatives=3, false_positives=0
  • false-negative versions: 2.7.0-rc1, 2.7.0-rc2, 2.7.0-rc3
• grype: rows=10, ok=10, false_negatives=3, false_positives=0
  • false-negative versions: 2.7.0-rc1, 2.7.0-rc2, 2.7.0-rc3
• osv-query-api: rows=10, ok=10, false_negatives=3, false_positives=0
  • false-negative versions: 2.7.0-rc1, 2.7.0-rc2, 2.7.0-rc3
• osv-scanner: rows=10, ok=10, false_negatives=3, false_positives=0
  • false-negative versions: 2.7.0-rc1, 2.7.0-rc2, 2.7.0-rc3

Source Disagreements

• none recorded for this case

Reproduction

make cve-2018-19360
make interval-certificates topology-theorem order-sensitivity version-dags
make consumer-tools public-prevalence case-certificates verify-certificates

Primary Evidence Files

• consumer_matrix: out/consumer_tools/latest/consumer_false_negative_matrix.csv
• dependency_check_consumer_matrix: out/consumer_tools/dependency-check-latest/consumer_false_negative_matrix.csv
• gradle_cyclonedx_consumer_matrix: out/consumer_tools/gradle-cyclonedx-latest/consumer_false_negative_matrix.csv
• order_sensitivity: out/order_sensitivity/order_sensitivity.csv
• outcomes: out/witness_runs/CVE-2018-19360/latest/outcomes.csv
• projection_decision_matrix: out/metadata_analysis/CVE-2018-19360/projection_decision_matrix.csv
• projection_loss_summary: out/metadata_analysis/CVE-2018-19360/projection_loss_summary.csv
• public_prevalence_by_case: out/public_prevalence/latest/public_dependency_prevalence_by_case.csv
• theorem: out/theorem/single_interval_impossibility.json

[jeremylong]

I'm assuming you are using an old version or this is AI-generated slop. From the dependency-tree:

[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.21.3:compile

Pretty sure 2.21.3 is NOT affected