Dependency Check identifies several CVEs in com.thoughtworks.xstream:xstream:1.4.21 transitive dependency io.github.x-stream:mxparser:1.2.2.
mxparser-1.2.2.jar (pkg:maven/io.github.x-stream/mxparser@1.2.2, cpe:2.3:a:xstream:xstream:1.2.2:*:*:*:*:*:*:*) : CVE-2021-21345, CVE-2013-7285, CVE-2021-21344, CVE-2021-21346, CVE-2021-21347, CVE-2021-21350, CVE-2021-21342, CVE-2021-21351, CVE-2020-26217, CVE-2021-29505, CVE-2021-39139, CVE-2021-21349, CVE-2021-39141, CVE-2021-39144, CVE-2021-39145, CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149, CVE-2021-39150, CVE-2021-39151, CVE-2021-39152, CVE-2021-39153, CVE-2021-39154, CVE-2020-26258, CVE-2016-3674, CVE-2017-7957, CVE-2021-21341, CVE-2021-21343, CVE-2021-21348, CVE-2021-43859, CVE-2022-40151, CVE-2022-40152, CVE-2022-41966, CVE-2020-26259, CVE-2021-39140
I propose to update the supression definition mentioned above.
Package URl
pkg:maven/io.github.x-stream/mxparser@1.2.2
CPE
cpe:/a:xstream:xstream
CVE
No response
ODC Integration
{"label" => "Maven Plugin"}
ODC Version
12.1.0
Description
Dependency Check identifies several CVEs in com.thoughtworks.xstream:xstream:1.4.21 transitive dependency io.github.x-stream:mxparser:1.2.2.
This looks like a regression of #3230.
This seems to be caused by a recent change in the CPE configuration of XStream. The GroupId "xstream_project" was changed to "xstream".
See https://nvd.nist.gov/vuln/detail/CVE-2021-21345#VulnChangeHistorySection
In consequence, the suppression dependencycheck-base-suppression.xml#L205 does not match anymore.
I propose to update the supression definition mentioned above.