[FP]: CVE-2023-40743 org.apache.axis2/addressing@1.8.0

[rochish-suresh]

Package URl

pkg:maven/org.apache.axis2/addressing@1.8.0

CPE

cpe:2.3:a:apache:axis:*:*:*:*:*:*:*:* versions up to (excluding) 2023-08-01

CVE

CVE-2023-40743

ODC Integration

None

ODC Version

8.2.1

Description

CVE description says the package is org.apache.axis group, but the CVE is been reported in org.apache.axis2.
Recommendation in the CVE database asks to use axis2 package instead of axis as workaround.
Does this mean the CVE is reported false positive or a valid one?

Gradle code:
implementation group: 'org.apache.axis2', name: 'addressing', version: '1.8.0', classifier: 'classpath-module'

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/6244592367

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/6244683424

[aikebah]

CVE description says nothing about the group, only that it's about Axis 1, but your derivation that Axis 1 is the org.apache.axis groupId and Axis 2/Java is the org.apache.axis2 groupId is correct, so it is indeed a false-positive.

[raghulvishnudhinesh]

Any Updates to resolve this false positive?

[lbruun]

I believe the issue is that of Library Identification (i.e. the link between a CVE and then mapping that to actual Maven GAV coordinates).

AFAIK, the OWASP Dependency Checker doesn't have any such information so it simply makes a guess based on some text matching. The reason for that is that such mapping hasn't existed ..until the folks at Google decided to do something about it and launched their OSV.dev initiative. The OSV can indeed do the mapping between this particular CVE and to the exact Maven coordinates that are vulnerable. See CVE-2023-40743 in OSV database. But the OWASP DependencyChecker doesn't use this information. (to be fair Google's initiative has only launched recently)

I've created Enhancement Request 6039 to this end.

[herohung093]

The same CVE is reported on package pkg:maven/org.apache.axis2/mex@1.6.4-impl Do we have any update on when this will be resolved.

[cabutler-7]

Any updates on this false positive?

[cabutler-7]

Any updates on this false positive?