CVE-2026-41731: executable affected-version evidence for dependency-check
Requested Check
Please review the attached executable affected-version evidence and decide whether the affected-version data, package namespace, or consumer interpretation should be updated or explicitly documented.
Grouped Route
- candidate:
CVE-2026-41731
- route URL:
https://github.com/dependency-check/DependencyCheck
- targets:
dependency-check
- route kinds:
consumer-tool
- priority:
P2
- grouped queue rows:
1
- P0 rows in group:
0
Evidence Summary
- projection-loss versions:
0
- consumer false-negative versions:
0
- source-disagreement versions:
4
- report paths:
external_validation_reports/CVE-2026-41731_external_validation_report.md
Target-Specific Packets
| Target |
Route kind |
Priority |
Reason |
Body |
SHA-256 |
dependency-check |
consumer-tool |
P2 |
consumer interpretation misses witness-vulnerable versions |
external_validation_submissions/CVE-2026-41731__dependency-check.md |
029fde9fc09f62797a1c21fbaae905e07bb9abe4caeba46d259e76b2bba20e66 |
Reproduction
make cve-2026-41731
make interval-certificates topology-theorem order-sensitivity version-dags
make install-consumer-tools consumer-tools-all consumer-tools-dependency-check consumer-tools-gradle-cyclonedx
make public-prevalence case-certificates verify-certificates topology-aware validate-artifact
Full Packet Text
The target-specific packet bodies are included below so this grouped issue remains self-contained.
Packet: dependency-check / consumer-tool
CVE-2026-41731: executable affected-version evidence for dependency-check
Requested Check
Please review whether the affected-version data for this vulnerability should be updated, or whether the current exclusion is intentional and should be represented explicitly for downstream consumers.
Reason For Contact
- target:
dependency-check
- route kind:
consumer-tool
- reason: consumer interpretation misses witness-vulnerable versions
- report:
external_validation_reports/CVE-2026-41731_external_validation_report.md
Executable Certificate
- candidate:
CVE-2026-41731
- bitstring:
111010
- minimum interval cover:
2
- V-S-V witnesses:
1
- zero-error single intervals:
0
- full-recall false-positive lower bound:
1
- zero-false-positive false-negative lower bound:
1
Projection-Loss Coordinates
- none for the claim source in the tested matrix
Consumer Observations
dependency-check: rows=6, ok=6, false_negatives=4, false_positives=0
- false-negative versions:
2.8.11, 2.9.13, 3.3.15, 4.0.5
Source Disagreements
- versions with source disagreement:
2.8.11, 2.9.13, 3.3.15, 4.0.5
Reproduction
make cve-2026-41731
make interval-certificates topology-theorem order-sensitivity version-dags
make consumer-tools public-prevalence case-certificates verify-certificates
Primary Evidence Files
consumer_matrix: out/consumer_tools/latest/consumer_false_negative_matrix.csvdependency_check_consumer_matrix: out/consumer_tools/dependency-check-latest/consumer_false_negative_matrix.csvgradle_cyclonedx_consumer_matrix: out/consumer_tools/gradle-cyclonedx-latest/consumer_false_negative_matrix.csvorder_sensitivity: out/order_sensitivity/order_sensitivity.csvoutcomes: out/witness_runs/CVE-2026-41731/latest/outcomes.csvprojection_decision_matrix: out/metadata_analysis/CVE-2026-41731/projection_decision_matrix.csvprojection_loss_summary: out/metadata_analysis/CVE-2026-41731/projection_loss_summary.csvpublic_prevalence_by_case: out/public_prevalence/latest/public_dependency_prevalence_by_case.csvtheorem: out/theorem/single_interval_impossibility.json
CVE-2026-41731: executable affected-version evidence for dependency-check
Requested Check
Please review the attached executable affected-version evidence and decide whether the affected-version data, package namespace, or consumer interpretation should be updated or explicitly documented.
Grouped Route
CVE-2026-41731https://github.com/dependency-check/DependencyCheckdependency-checkconsumer-toolP210Evidence Summary
004external_validation_reports/CVE-2026-41731_external_validation_report.mdTarget-Specific Packets
dependency-checkconsumer-toolP2external_validation_submissions/CVE-2026-41731__dependency-check.md029fde9fc09f62797a1c21fbaae905e07bb9abe4caeba46d259e76b2bba20e66Reproduction
Full Packet Text
The target-specific packet bodies are included below so this grouped issue remains self-contained.
Packet: dependency-check / consumer-tool
CVE-2026-41731: executable affected-version evidence for dependency-check
Requested Check
Please review whether the affected-version data for this vulnerability should be updated, or whether the current exclusion is intentional and should be represented explicitly for downstream consumers.
Reason For Contact
dependency-checkconsumer-toolexternal_validation_reports/CVE-2026-41731_external_validation_report.mdExecutable Certificate
CVE-2026-4173111101021011Projection-Loss Coordinates
Consumer Observations
dependency-check: rows=6, ok=6, false_negatives=4, false_positives=02.8.11, 2.9.13, 3.3.15, 4.0.5Source Disagreements
2.8.11, 2.9.13, 3.3.15, 4.0.5Reproduction
Primary Evidence Files
consumer_matrix:out/consumer_tools/latest/consumer_false_negative_matrix.csvdependency_check_consumer_matrix:out/consumer_tools/dependency-check-latest/consumer_false_negative_matrix.csvgradle_cyclonedx_consumer_matrix:out/consumer_tools/gradle-cyclonedx-latest/consumer_false_negative_matrix.csvorder_sensitivity:out/order_sensitivity/order_sensitivity.csvoutcomes:out/witness_runs/CVE-2026-41731/latest/outcomes.csvprojection_decision_matrix:out/metadata_analysis/CVE-2026-41731/projection_decision_matrix.csvprojection_loss_summary:out/metadata_analysis/CVE-2026-41731/projection_loss_summary.csvpublic_prevalence_by_case:out/public_prevalence/latest/public_dependency_prevalence_by_case.csvtheorem:out/theorem/single_interval_impossibility.json