Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False alarms in scanners due to mismatch in Jdom maven version and Implementation-Version in MANIFEST.MF #216

Open
ramtech123 opened this issue Nov 29, 2023 · 2 comments

Comments

@ramtech123
Copy link

We consume org.jdom:jdom2-2.0.6.1.jar. This version of the library is not vulnerable to CVE-2021-33813. (I went through the related issue #189).

The Implementation-Version value found in MANIFEST.MF file inside the 2.0.6.1 jar is 2.x-2021.11.08.17.25.

Due to the above mismatch in jar version and the implementation-version field inside MANIFEST.MF file, scanners are unable to determine right version of this jar and continue to flag it for the above CVE.

Expectation: The version should be consistent so as to avoid any such inconveniences.

@ar
Copy link

ar commented Nov 29, 2023

Just tried to build it with a little change in build.xml and confirmed that it would fix this problem. I'm afraid 2.0.6.1 is already released, so this would require a new build and push to maven central, perhaps using version 2.0.6.2.

-       <property name="version" value="2.x-${snapshot.time}"/>
+       <property name="version" value="2.0.6.1"/>

@ramtech123
Copy link
Author

I understand 2.0.6.1 is already released and can't be modified. This submission was to get it corrected for future releases. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants