Skip to content

[FP]: org.eclipse.jetty.toolchain/jetty-servlet-api@4.0.6 is misidentified as jetty 4.0.6 component (but is not) (wrong CPE) #6666

Closed
Closed
[FP]: org.eclipse.jetty.toolchain/jetty-servlet-api@4.0.6 is misidentified as jetty 4.0.6 component (but is not) (wrong CPE)#6666
Labels
FP Reportmavenchanges to the maven plugin
@aschank

Description

@aschank
aschank
opened on May 14, 2024

Package URl

pkg:maven/org.eclipse.jetty.toolchain/jetty-servlet-api@4.0.6

CPE

cpe:2.3:a:jetty:jetty:4.0.6:*:*:*:*:*:*:*

CVE

CVE-2017-7657

ODC Integration

{"label"=>"Ant Task"}

ODC Version

9.1.0

Description

Hi,

there is a mis-identification of the CPE for the jetty tools package jetty-servlet-api (version 4.0.6).

The Package org.eclipse.jetty.toolchain/jetty-servlet-api@4.0.6 is mis-identified as a jetty 4.0.6 package (cpe:2.3:a:jetty:jetty:4.0.6:*:*:*:*:*:*:* and cpe:2.3:a:eclipse:jetty:4.0.6:*:*:*:*:*:*:*), although it actually came with Jetty 12 and the version of the jar is independent of Jetty version but depends on the Servlet API version.

So the problem is the incorrect CPE that is identified for the component, since the CVEs all adress earlier jetty versions.

Here's the sonatype ossindex page for the compontent:

https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty.toolchain/jetty-servlet-api@4.0.6

We would appreciate it if the CPE (actually I don't know the correct CPE for this jar) could be fixced.

Thanks in advance :-)
Andreas

Metadata

Metadata

Assignees

No one assigned

    Labels

    FP Reportmavenchanges to the maven plugin

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions