Skip to content

CVE-2026-40180: executable affected-version evidence for dependency-check #8643

Closed
Closed
CVE-2026-40180: executable affected-version evidence for dependency-check#8643

Description

@hypergalois
hypergalois
opened on Jun 30, 2026

CVE-2026-40180: executable affected-version evidence for dependency-check

Requested Check

Please review the attached executable affected-version evidence and decide whether the affected-version data, package namespace, or consumer interpretation should be updated or explicitly documented.

Grouped Route

  • candidate: CVE-2026-40180
  • route URL: https://github.com/dependency-check/DependencyCheck
  • targets: dependency-check
  • route kinds: consumer-tool
  • priority: P1
  • grouped queue rows: 1
  • P0 rows in group: 0

Evidence Summary

  • projection-loss versions: 3
  • consumer false-negative versions: 3
  • source-disagreement versions: 0
  • report paths: external_validation_reports/CVE-2026-40180_external_validation_report.md

Target-Specific Packets

Target Route kind Priority Reason Body SHA-256
dependency-check consumer-tool P1 consumer interpretation misses witness-vulnerable versions external_validation_submissions/CVE-2026-40180__dependency-check.md 16e754d0e5c1c7a5db13df9b7e215524a16e05c3167c418f11a732062302d40f

Reproduction

make cve-2026-40180
make interval-certificates topology-theorem order-sensitivity version-dags
make install-consumer-tools consumer-tools-all consumer-tools-dependency-check consumer-tools-gradle-cyclonedx
make public-prevalence case-certificates verify-certificates topology-aware validate-artifact

Full Packet Text

The target-specific packet bodies are included below so this grouped issue remains self-contained.

Packet: dependency-check / consumer-tool

CVE-2026-40180: executable affected-version evidence for dependency-check

Requested Check

Please review whether the affected-version data for this vulnerability should be updated, or whether the current exclusion is intentional and should be represented explicitly for downstream consumers.

Reason For Contact

  • target: dependency-check
  • route kind: consumer-tool
  • reason: consumer interpretation misses witness-vulnerable versions
  • report: external_validation_reports/CVE-2026-40180_external_validation_report.md

Executable Certificate

  • candidate: CVE-2026-40180
  • bitstring: 11100000
  • minimum interval cover: 1
  • V-S-V witnesses: 0
  • zero-error single intervals: 1
  • full-recall false-positive lower bound: 0
  • zero-false-positive false-negative lower bound: 0

Projection-Loss Coordinates

  • io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.14.0
    • version: 2.14.0
    • claim projection decisions: OSV:package_excluded;GHSA:package_excluded
    • excluding sources: OSV;GHSA
    • detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate
  • io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.14.0-lts
    • version: 2.14.0-lts
    • claim projection decisions: OSV:package_excluded;GHSA:package_excluded
    • excluding sources: OSV;GHSA
    • detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate
  • io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.15.0
    • version: 2.15.0
    • claim projection decisions: OSV:package_excluded;GHSA:package_excluded
    • excluding sources: OSV;GHSA
    • detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate

Consumer Observations

  • dependabot-like-ghsa: rows=8, ok=8, false_negatives=3, false_positives=0
    • false-negative versions: 2.14.0, 2.14.0-lts, 2.15.0
  • dependency-check: rows=8, ok=8, false_negatives=3, false_positives=0
    • false-negative versions: 2.14.0, 2.14.0-lts, 2.15.0
  • deps-dev-api: rows=8, ok=8, false_negatives=3, false_positives=0
    • false-negative versions: 2.14.0, 2.14.0-lts, 2.15.0
  • ghsa-range-projection: rows=8, ok=8, false_negatives=3, false_positives=0
    • false-negative versions: 2.14.0, 2.14.0-lts, 2.15.0
  • grype: rows=8, ok=8, false_negatives=3, false_positives=0
    • false-negative versions: 2.14.0, 2.14.0-lts, 2.15.0
  • osv-query-api: rows=8, ok=8, false_negatives=3, false_positives=0
    • false-negative versions: 2.14.0, 2.14.0-lts, 2.15.0
  • osv-scanner: rows=8, ok=8, false_negatives=3, false_positives=0
    • false-negative versions: 2.14.0, 2.14.0-lts, 2.15.0

Source Disagreements

  • none recorded for this case

Reproduction

make cve-2026-40180
make interval-certificates topology-theorem order-sensitivity version-dags
make consumer-tools public-prevalence case-certificates verify-certificates

Primary Evidence Files

  • consumer_matrix: out/consumer_tools/latest/consumer_false_negative_matrix.csv
  • dependency_check_consumer_matrix: out/consumer_tools/dependency-check-latest/consumer_false_negative_matrix.csv
  • gradle_cyclonedx_consumer_matrix: out/consumer_tools/gradle-cyclonedx-latest/consumer_false_negative_matrix.csv
  • order_sensitivity: out/order_sensitivity/order_sensitivity.csv
  • outcomes: out/witness_runs/CVE-2026-40180/latest/outcomes.csv
  • projection_decision_matrix: out/metadata_analysis/CVE-2026-40180/projection_decision_matrix.csv
  • projection_loss_summary: out/metadata_analysis/CVE-2026-40180/projection_loss_summary.csv
  • public_prevalence_by_case: out/public_prevalence/latest/public_dependency_prevalence_by_case.csv
  • theorem: out/theorem/single_interval_impossibility.json

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions