[FP]: Very old CVE-2018-11775 detected for Apache ActiveMQ 5.17.0

[Gouri-19]

Package URl

pkg:maven/xx/msg-activemq-log-plugin@2.118.1

CPE

cpe:2.3:a:apache:activemq:2.118.1:::::::*

CVE

CVE-2018-11775

ODC Integration

None

ODC Version

8.4.3

Description

The CVE-2018-11775 was detected and reported by Owasp Dependency Check scan for Aapche ActiveMQ 5.17.0. The vulnerability description clearly states that the vulnerability exists in Apache ActiveMQ 5.x before 5.15.6. This is because, in the application code, xx-activemq-log-plugin takes the version as the project version. The Owasp Dependency report is picking and detecting it as ActiveMQ version and reporting the CVE in the scan report. Therefore, it is a false positive.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/10106604859

[aikebah]

1. Upgrade your scanner - Please Read: Mandatory Upgrade to 10.0.2 or later #6817 8.4.3 is not supported
2. The issue is not raised with ActiveMQ, but with your msg-activemq-log-plugin, which is version 2.118.1 and therfor much lower than the not-vulnerable activemq versions

I'd suggest taking a look at How dependency-check works?, Reading the report, and Suppressing False Positives.

[aikebah]

As this is (given your redacted coordinates) a private library you'll have to use a private suppression for it