I've started getting a large number of false positives on one of my projects that uses Camel because of CVE-2022-45046. Apache have withdrawn/rejected the CVE, but I still get it in my scans seemingly because DependencyCheck is only reading the description in a very specific way to identify rejected CVEs:
https://github.com/jeremylong/DependencyCheck/blob/175a00d499f243e8250ab5b86685b44c9c368f86/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java#L199-L208
https://github.com/jeremylong/DependencyCheck/blob/175a00d499f243e8250ab5b86685b44c9c368f86/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java#L807-L809
To workaround the issue I've added some suppressions for the CVE, but I'm wondering if there's a better way? I'm not knowledgeable enough about this space to know whether the problem stems from Apache not following the "standard" description when rejecting the CVE or if DependencyCheck is too naïve in its approach.
I've started getting a large number of false positives on one of my projects that uses Camel because of CVE-2022-45046. Apache have withdrawn/rejected the CVE, but I still get it in my scans seemingly because DependencyCheck is only reading the description in a very specific way to identify rejected CVEs:
https://github.com/jeremylong/DependencyCheck/blob/175a00d499f243e8250ab5b86685b44c9c368f86/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java#L199-L208
https://github.com/jeremylong/DependencyCheck/blob/175a00d499f243e8250ab5b86685b44c9c368f86/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java#L807-L809
To workaround the issue I've added some suppressions for the CVE, but I'm wondering if there's a better way? I'm not knowledgeable enough about this space to know whether the problem stems from Apache not following the "standard" description when rejecting the CVE or if DependencyCheck is too naïve in its approach.