False Positive on junit-4.13.1.jar: CVE-2020-15250

[bjansen]

JUnit is usually used as a test dependency, but I have this module that contains a JUnit rule to be used by other modules, so in this case JUnit is configured as a compile dependency:

<dependency>
	<groupId>junit</groupId>
	<artifactId>junit</artifactId>
	<version>4.13.1</version>
	<scope>compile</scope>
</dependency>

CVE-2020-15250 is supposed to affect versions up to 4.13.1 excluded, yet since yesterday dependency-check started complaining that the latest version is also affected by the CVE:

09:43:03,020 [main] [ERROR] One or more dependencies were identified with vulnerabilities: 
09:43:03,023 [main] [ERROR]
09:43:03,025 [main] [ERROR] junit-4.13.1.jar: CVE-2020-15250
09:43:03,028 [main] [ERROR]
09:43:03,030 [main] [ERROR] See the dependency-check report for more details.

I see that the NVD page was updated yesterday (Nov 16), so it might explain the sudden error.

[bjansen]

Actually it looks like Sonatype's OSSIndex is at fault here, they seem to include 4.13.1 instead of excluding it:

From the generated HTML report:

References:
OSSINDEX - [CVE-2020-15250] In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder cont...
Vulnerable Software & Versions (OSSINDEX):
cpe:2.3:a :junit:junit:4.13.1:::::::*

[bjansen]

All right, there are already several issues opened in the OSSIndex tracker, I'm closing this one :)

OSSIndex/vulns#125
OSSIndex/vulns#126
OSSIndex/vulns#127