CVE-2019-10219: executable affected-version evidence for dependency-check
Requested Check
Please review the attached executable affected-version evidence and decide whether the affected-version data, package namespace, or consumer interpretation should be updated or explicitly documented.
Grouped Route
- candidate:
CVE-2019-10219
- route URL:
https://github.com/dependency-check/DependencyCheck
- targets:
dependency-check
- route kinds:
consumer-tool
- priority:
P0
- grouped queue rows:
1
- P0 rows in group:
1
Evidence Summary
- projection-loss versions:
6
- consumer false-negative versions:
6
- source-disagreement versions:
7
- report paths:
external_validation_reports/CVE-2019-10219_external_validation_report.md
Target-Specific Packets
| Target |
Route kind |
Priority |
Reason |
Body |
SHA-256 |
dependency-check |
consumer-tool |
P0 |
consumer interpretation misses witness-vulnerable versions |
external_validation_submissions/CVE-2019-10219__dependency-check.md |
5a75615441e1ffe364281895737e71e0d5995e912b8abb64888d549cdc06b679 |
Reproduction
make cve-2019-10219
make interval-certificates topology-theorem order-sensitivity version-dags
make install-consumer-tools consumer-tools-all consumer-tools-dependency-check consumer-tools-gradle-cyclonedx
make public-prevalence case-certificates verify-certificates topology-aware validate-artifact
Full Packet Text
The target-specific packet bodies are included below so this grouped issue remains self-contained.
Packet: dependency-check / consumer-tool
CVE-2019-10219: executable affected-version evidence for dependency-check
Requested Check
Please review whether the affected-version data for this vulnerability should be updated, or whether the current exclusion is intentional and should be represented explicitly for downstream consumers.
Reason For Contact
- target:
dependency-check
- route kind:
consumer-tool
- reason: consumer interpretation misses witness-vulnerable versions
- report:
external_validation_reports/CVE-2019-10219_external_validation_report.md
Executable Certificate
- candidate:
CVE-2019-10219
- bitstring:
011111111001100
- minimum interval cover:
2
- V-S-V witnesses:
1
- zero-error single intervals:
0
- full-recall false-positive lower bound:
2
- zero-false-positive false-negative lower bound:
2
Projection-Loss Coordinates
org.hibernate:hibernate-validator:5.1.3.Final
- version:
5.1.3.Final
- claim projection decisions:
GHSA:namespace_missing
- excluding sources:
GHSA
- detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate
org.hibernate:hibernate-validator:5.2.5.Final
- version:
5.2.5.Final
- claim projection decisions:
GHSA:namespace_missing
- excluding sources:
GHSA
- detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate
org.hibernate:hibernate-validator:5.3.6.Final
- version:
5.3.6.Final
- claim projection decisions:
GHSA:namespace_missing
- excluding sources:
GHSA
- detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate
org.hibernate:hibernate-validator:5.4.2.Final
- version:
5.4.2.Final
- claim projection decisions:
GHSA:namespace_missing
- excluding sources:
GHSA
- detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate
org.hibernate:hibernate-validator:5.4.3.Final
- version:
5.4.3.Final
- claim projection decisions:
GHSA:namespace_missing
- excluding sources:
GHSA
- detail: GHSA: published version family is older than every GHSA lower-bound for this Maven coordinate
org.hibernate.validator:hibernate-validator:6.1.0.Alpha6
- version:
6.1.0.Alpha6
- claim projection decisions:
GHSA:fixed
- excluding sources:
GHSA
- detail: GHSA: version equals GHSA first_patched_version
Consumer Observations
dependabot-like-ghsa: rows=15, ok=15, false_negatives=6, false_positives=0
- false-negative versions:
5.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.1.0.Alpha6
dependency-check: rows=15, ok=15, false_negatives=10, false_positives=0
- false-negative versions:
5.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.0.0.Alpha1, 6.0.17.Final, 6.0.5.Final, 6.1.0.Alpha5, 6.1.0.Alpha6
deps-dev-api: rows=15, ok=15, false_negatives=6, false_positives=0
- false-negative versions:
5.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.1.0.Alpha6
ghsa-range-projection: rows=15, ok=15, false_negatives=6, false_positives=0
- false-negative versions:
5.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.1.0.Alpha6
grype: rows=15, ok=15, false_negatives=6, false_positives=0
- false-negative versions:
5.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.1.0.Alpha6
osv-query-api: rows=15, ok=15, false_negatives=6, false_positives=0
- false-negative versions:
5.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.1.0.Alpha6
osv-scanner: rows=15, ok=15, false_negatives=6, false_positives=0
- false-negative versions:
5.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.1.0.Alpha6
Source Disagreements
- versions with source disagreement:
4.3.2.Final, 5.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.1.0.Alpha6
Reproduction
make cve-2019-10219
make interval-certificates topology-theorem order-sensitivity version-dags
make consumer-tools public-prevalence case-certificates verify-certificates
Primary Evidence Files
consumer_matrix: out/consumer_tools/latest/consumer_false_negative_matrix.csvdependency_check_consumer_matrix: out/consumer_tools/dependency-check-latest/consumer_false_negative_matrix.csvgradle_cyclonedx_consumer_matrix: out/consumer_tools/gradle-cyclonedx-latest/consumer_false_negative_matrix.csvorder_sensitivity: out/order_sensitivity/order_sensitivity.csvoutcomes: out/witness_runs/CVE-2019-10219/latest/outcomes.csvprojection_decision_matrix: out/metadata_analysis/CVE-2019-10219/projection_decision_matrix.csvprojection_loss_summary: out/metadata_analysis/CVE-2019-10219/projection_loss_summary.csvpublic_prevalence_by_case: out/public_prevalence/latest/public_dependency_prevalence_by_case.csvtheorem: out/theorem/single_interval_impossibility.json
CVE-2019-10219: executable affected-version evidence for dependency-check
Requested Check
Please review the attached executable affected-version evidence and decide whether the affected-version data, package namespace, or consumer interpretation should be updated or explicitly documented.
Grouped Route
CVE-2019-10219https://github.com/dependency-check/DependencyCheckdependency-checkconsumer-toolP011Evidence Summary
667external_validation_reports/CVE-2019-10219_external_validation_report.mdTarget-Specific Packets
dependency-checkconsumer-toolP0external_validation_submissions/CVE-2019-10219__dependency-check.md5a75615441e1ffe364281895737e71e0d5995e912b8abb64888d549cdc06b679Reproduction
Full Packet Text
The target-specific packet bodies are included below so this grouped issue remains self-contained.
Packet: dependency-check / consumer-tool
CVE-2019-10219: executable affected-version evidence for dependency-check
Requested Check
Please review whether the affected-version data for this vulnerability should be updated, or whether the current exclusion is intentional and should be represented explicitly for downstream consumers.
Reason For Contact
dependency-checkconsumer-toolexternal_validation_reports/CVE-2019-10219_external_validation_report.mdExecutable Certificate
CVE-2019-1021901111111100110021022Projection-Loss Coordinates
org.hibernate:hibernate-validator:5.1.3.Final5.1.3.FinalGHSA:namespace_missingGHSAorg.hibernate:hibernate-validator:5.2.5.Final5.2.5.FinalGHSA:namespace_missingGHSAorg.hibernate:hibernate-validator:5.3.6.Final5.3.6.FinalGHSA:namespace_missingGHSAorg.hibernate:hibernate-validator:5.4.2.Final5.4.2.FinalGHSA:namespace_missingGHSAorg.hibernate:hibernate-validator:5.4.3.Final5.4.3.FinalGHSA:namespace_missingGHSAorg.hibernate.validator:hibernate-validator:6.1.0.Alpha66.1.0.Alpha6GHSA:fixedGHSAConsumer Observations
dependabot-like-ghsa: rows=15, ok=15, false_negatives=6, false_positives=05.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.1.0.Alpha6dependency-check: rows=15, ok=15, false_negatives=10, false_positives=05.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.0.0.Alpha1, 6.0.17.Final, 6.0.5.Final, 6.1.0.Alpha5, 6.1.0.Alpha6deps-dev-api: rows=15, ok=15, false_negatives=6, false_positives=05.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.1.0.Alpha6ghsa-range-projection: rows=15, ok=15, false_negatives=6, false_positives=05.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.1.0.Alpha6grype: rows=15, ok=15, false_negatives=6, false_positives=05.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.1.0.Alpha6osv-query-api: rows=15, ok=15, false_negatives=6, false_positives=05.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.1.0.Alpha6osv-scanner: rows=15, ok=15, false_negatives=6, false_positives=05.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.1.0.Alpha6Source Disagreements
4.3.2.Final, 5.1.3.Final, 5.2.5.Final, 5.3.6.Final, 5.4.2.Final, 5.4.3.Final, 6.1.0.Alpha6Reproduction
Primary Evidence Files
consumer_matrix:out/consumer_tools/latest/consumer_false_negative_matrix.csvdependency_check_consumer_matrix:out/consumer_tools/dependency-check-latest/consumer_false_negative_matrix.csvgradle_cyclonedx_consumer_matrix:out/consumer_tools/gradle-cyclonedx-latest/consumer_false_negative_matrix.csvorder_sensitivity:out/order_sensitivity/order_sensitivity.csvoutcomes:out/witness_runs/CVE-2019-10219/latest/outcomes.csvprojection_decision_matrix:out/metadata_analysis/CVE-2019-10219/projection_decision_matrix.csvprojection_loss_summary:out/metadata_analysis/CVE-2019-10219/projection_loss_summary.csvpublic_prevalence_by_case:out/public_prevalence/latest/public_dependency_prevalence_by_case.csvtheorem:out/theorem/single_interval_impossibility.json