[FP]: Apache Camel Karaf OSGI Bundle Misidentified as Apache Karaf 3.22.4

[mnika93]

Package URl

pkg:maven/org.apache.camel.karaf/camel-core-osgi@3.22.4

CPE

cpe:2.3:a:apache:karaf:3.22.4:::::::*

CVE

CVE-2018-11786
CVE-2018-11788
CVE-2021-41766
CVE-2022-40145

ODC Integration

{"label" => "CLI"}

ODC Version

12.2.1

Description

False positive: The scanner matches org.apache.camel.karaf.camel-core-osgi-3.22.4.jar against CPE apache:karaf:3.22.4 because the group ID contains camel.karaf and version 3.22.4 is interpreted as a Karaf version.

Evidence from report:

• data-display-name: *-org.apache.camel.karaf.camel-core-osgi-3.22.4.jar
• Matched CPE: cpe:2.3:a:apache:karaf:3.22.4:*:*:*:*:*:*:*

[github-actions]

Maven Coordinates

<dependency>
  <groupId>org.apache.camel.karaf</groupId>
  <artifactId>camel-core-osgi</artifactId>
  <version>3.22.4</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8599
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.camel\.karaf/camel-core-osgi@.*$</packageUrl>
    <cpe regex="true">cpe:/a:apache:karaf(:.*)?$</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/27369090329

[chadlwilson]

approved

[github-actions]

Suppress rule has been added to the generatedSuppressions branch.

[github-actions]

Maven Coordinates

<dependency>
  <groupId>org.apache.camel.karaf</groupId>
  <artifactId>camel-core-osgi</artifactId>
  <version>3.22.4</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8599
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.camel\.karaf/camel-core-osgi@.*$</packageUrl>
    <cpe regex="true">cpe:/a:apache:karaf(:.*)?$</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/27406192738

[github-actions]

Maven Coordinates

<dependency>
  <groupId>org.apache.camel.karaf</groupId>
  <artifactId>camel-core-osgi</artifactId>
  <version>3.22.4</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8599
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.camel\.karaf/camel-core-osgi@.*$</packageUrl>
    <cpe regex="true">cpe:/a:apache:karaf(:.*)?$</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/27406426715

[github-actions]

Maven Coordinates

<dependency>
  <groupId>org.apache.camel.karaf</groupId>
  <artifactId>camel-core-osgi</artifactId>
  <version>3.22.4</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8599
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.camel\.karaf/camel-core-osgi@.*$</packageUrl>
    <cpe regex="true">cpe:/a:apache:karaf(:.*)?$</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/27406548534