Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

False Positive on activemq-all-5.15.11.jar

See original GitHub issue

False positive on library activemq-all-5.15.11.jar - reported as cpe:2.3🅰️apache:activemq:5.15.11::::::😗

<dependency>
    <groupId>org.apache.activemq</groupId>
    <artifactId>activemq-all</artifactId>
    <version>5.15.11</version>
</dependency>

Issue Analytics

State:
Created 4 years ago
Reactions:1
Comments:7 (2 by maintainers)

Top GitHub Comments

1reaction

jeremylongcommented, Nov 2, 2020

Suppression rules were added for the specific CVEs. New CVEs may come up in the future…

0reactions

jeremylongcommented, Mar 1, 2020

@aikebah I agree we should probably remove the base suppression that is already present.

Things like Active MQ do present more of a challenge. For the uses cases for ODC I wonder iff we could add something like:

<suppress>
   <notes><![CDATA[
   file name: activemq-all-5.15.11.jar
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.apache\.activemq/.*$</packageUrl>
   <cve>CVE-2015-5182</cve>
   <cve>CVE-2015-5183</cve>
   <cve>CVE-2015-5184</cve>
</suppress>

Then again - I’ve seen people use ODC in unexpected ways… So I tend to agree with you - maybe we should leave AMQ alone and let developers manager this in their own scans.

Top Results From Across the Web

Unanswered 'activemq' Questions - Page 3 - Stack Overflow

My application uses Java 1.7.x, but when I run my application using activemq-all5.15.11.jar I get the error below. ActivMQ documentation says ActiveMQ 5...