Skip to content

#3868 Suppress log4j-api & log4j-to-slf4j false positive#3869

Merged
jeremylong merged 2 commits intodependency-check:mainfrom
nhumblot:3868-fp-log4japi
Dec 14, 2021
Merged

#3868 Suppress log4j-api & log4j-to-slf4j false positive#3869
jeremylong merged 2 commits intodependency-check:mainfrom
nhumblot:3868-fp-log4japi

Conversation

@nhumblot
Copy link
Copy Markdown
Collaborator

@nhumblot nhumblot commented Dec 13, 2021
edited
Loading

Fixes Issue

Description of Change

Fix #3868

log4j-api & log4j-to-slf4j are identified as vulnerable to CVE-2021-44228.

More explanations on why these two dependencies should be declared as false positive.

Have test cases been added to cover the new functionality?

No automated test but a manual verification of these FPs not being raised on a compiled snapshot has been performed.

@boring-cyborg boring-cyborg Bot added the core changes to core label Dec 13, 2021
jeremylong
jeremylong reviewed Dec 14, 2021
View reviewed changes
Comment thread core/src/main/resources/dependencycheck-base-suppression.xml Outdated
@jeremylong jeremylong merged commit d4cc8a4 into dependency-check:main Dec 14, 2021
@jeremylong jeremylong added this to the 6.5.1 milestone Dec 14, 2021
@nhumblot nhumblot deleted the 3868-fp-log4japi branch December 14, 2021 19:35
@fbiehl fbiehl mentioned this pull request Dec 17, 2021
Closed
@bjansen
Copy link
Copy Markdown
Contributor

bjansen commented Dec 20, 2021

What if someday someone finds a CVE in log4j-api, won't it be suppressed because the CPE will also be cpe:/a:apache:log4j and lead to a false negative?

@whimet
Copy link
Copy Markdown

whimet commented Dec 20, 2021
edited
Loading

With version 6.5.1, it still reports CVE-2021-45046 and CVE-2021-45105 agaist log4j-api, which are false positives as well. For example: log4j-api-2.13.3.jar (pkg:maven/org.apache.logging.log4j/[email protected], cpe:2.3:a:apache:log4j:2.13.3:*:*:*:*:*:*:*) : CVE-2021-45046, CVE-2021-45105

@bergerst bergerst mentioned this pull request Dec 21, 2021
Closed
@jeremylong jeremylong mentioned this pull request Dec 21, 2021
Merged
@jeremylong
Copy link
Copy Markdown
Collaborator

jeremylong commented Dec 21, 2021

@bjansen What i ended up doing was suppressing by CVE - not the entire log4j CPE. Which is why @whimet is reporting that the two newer CVEs are still being reported. I just updated the suppression file: jeremylong/DependencyCheck#3910

@bjansen
Copy link
Copy Markdown
Contributor

bjansen commented Dec 21, 2021

OK thanks for the clarification.

@github-actions github-actions Bot locked as resolved and limited conversation to collaborators Dec 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jeremylong jeremylong jeremylong approved these changes

Assignees

No one assigned

Labels

core changes to core

Projects

None yet

Milestone

6.5.1

Development

Successfully merging this pull request may close these issues.

False Positive on log4j-api-2.14.1.jar

4 participants

@nhumblot @bjansen @whimet @jeremylong