Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regression in 4.0.0, Quartz JAR is misidentified as being Jenkins #1582

Closed
ThrawnCA opened this issue Nov 25, 2018 · 4 comments
Closed

Regression in 4.0.0, Quartz JAR is misidentified as being Jenkins #1582

ThrawnCA opened this issue Nov 25, 2018 · 4 comments
Labels
bug

Comments

@ThrawnCA
Copy link

ThrawnCA commented Nov 25, 2018
edited
Loading

Reporting Bugs/Errors

Maven build log extract:

[INFO] --- dependency-check-maven:4.0.0:check (default-cli) @ xxx ---
[INFO] Central analyzer disabled
[INFO] Checking for updates
[INFO] Skipping NVD check since last check was within 12 hours.
[INFO] Skipping RetireJS update since last update was within 24 hours.
[INFO] Check for updates complete (43 ms)
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Skipping CPE Analysis for npm
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (3 seconds)
[WARNING]
One or more dependencies were identified with known vulnerabilities in xxx:
...
quartz-2.3.0.jar (org.quartz-scheduler:quartz:2.3.0, cpe:/a:jenkins:jenkins:2.3) : CVE-2018-1000169, CVE-2017-2610, CVE-2017-2611, CVE-2017-1000504, CVE-2017-2609, CVE-2017-2601, CVE-2017-2602, CVE-2017-2603, CVE-2017-2604, CVE-2017-2606, CVE-2017-2607, CVE-2017-2608, CVE-2017-1000354, CVE-2017-1000398, CVE-2017-1000355, CVE-2017-1000399, CVE-2017-1000396, CVE-2017-1000353, CVE-2017-1000356, CVE-2018-6356, CVE-2017-2612, CVE-2017-1000391, CVE-2017-2613, CVE-2017-1000394, CVE-2017-1000395, CVE-2018-1000170, CVE-2017-1000392, CVE-2017-1000393, CVE-2018-1000067, CVE-2017-2598, CVE-2018-1000068, CVE-2017-1000400, CVE-2017-2599, CVE-2017-1000401, CVE-2017-17383, CVE-2017-2600, CVE-2016-9299, CVE-2018-1999043, CVE-2018-1999042, CVE-2018-1000195, CVE-2018-1999005, CVE-2018-1999004, CVE-2018-1000193, CVE-2018-1999007, CVE-2018-1000194, CVE-2018-1999006, CVE-2018-1999001, CVE-2018-1999045, CVE-2018-1000192, CVE-2018-1999044, CVE-2018-1999003, CVE-2018-1999047, CVE-2018-1999002, CVE-2018-1999046
See the dependency-check report for more details.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 8.966 s
[INFO] Finished at: 2018-11-23T16:08:31+10:00
[INFO] Final Memory: 21M/361M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:4.0.0:check (default-cli) on project xxx:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '1.0':
[ERROR]
...
[ERROR] quartz-2.3.0.jar: CVE-2018-1000169, CVE-2017-2610, CVE-2017-2611, CVE-2017-1000504, CVE-2017-2609, CVE-2017-2601, CVE-2017-2602, CVE-2017-2603, CVE-2017-2604, CVE-2017-2606, CVE-2017-2607, CVE-2017-2608, CVE-2017-1000354, CVE-2017-1000398, CVE-2017-1000355, CVE-2017-1000399, CVE-2017-1000396, CVE-2017-1000353, CVE-2017-1000356, CVE-2018-6356, CVE-2017-2612, CVE-2017-1000391, CVE-2017-2613, CVE-2017-1000394, CVE-2017-1000395, CVE-2018-1000170, CVE-2017-1000392, CVE-2017-1000393, CVE-2018-1000067, CVE-2017-2598, CVE-2018-1000068, CVE-2017-1000400, CVE-2017-2599, CVE-2017-1000401, CVE-2017-17383, CVE-2017-2600, CVE-2016-9299, CVE-2018-1999043, CVE-2018-1999042, CVE-2018-1000195, CVE-2018-1999005, CVE-2018-1999004, CVE-2018-1000193, CVE-2018-1999007, CVE-2018-1000194, CVE-2018-1999006, CVE-2018-1999001, CVE-2018-1999045, CVE-2018-1000192, CVE-2018-1999044, CVE-2018-1999003, CVE-2018-1999047, CVE-2018-1999002, CVE-2018-1999046
[ERROR]
[ERROR] See the dependency-check report for more details.
[ERROR]
[ERROR]
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
Compilation failed.

Reporting False Positives

False positive on library org.quartz-scheduler:quartz:2.3.0 - reported as cpe:/a:jenkins:jenkins:2.3, using Dependency Checker Maven plugin 4.0.0.

<dependency>
   <groupId>org.quartz-scheduler</groupId>
   <artifactId>quartz</artifactId>
   <version>2.3.0</version>
</dependency>
@RobertPaasche
Copy link
Contributor

Its already reported in #1579

@malejpavouk
Copy link

Root cause (Lucene upgrade from 5.X -> 7.X) is discussed in #1580

@jeremylong jeremylong added the bug label Dec 16, 2018
@jeremylong
Copy link
Owner

This was resolved with the 4.0.1 release.

@ercpe ercpe mentioned this issue Jan 3, 2019
Closed
@lock
Copy link

lock bot commented Jan 19, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Jan 19, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jeremylong @ThrawnCA @malejpavouk @RobertPaasche