Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

False Positive on Kotlin

See original GitHub issue

False positive on kotlin-stdlib-jdk8-1.4.0.jar (and a few other core kotlin 1.4.0 libraries) - reported as:

cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:jetbrains:kotlin:1.4.0:rc:*:*:*:*:*:*

Last night, after a change that NIST made, the core Kotlin libraries started reporting as vulnerable to CVE-2020-15824 despite the advisory stating that 1.4.0 fixes the issue.

Issue Analytics

State:
Created 3 years ago
Reactions:24
Comments:6 (1 by maintainers)

Top GitHub Comments

2reactions

timpharocommented, Dec 1, 2020

We just fell into this trap too and i’m guessing suppression is still the way forward here as updating to the latest components (1.4.20 at the time of writing) still produces the FP. Any news on the update on this @jeremylong?

1reaction

jamesrgrintercommented, Sep 15, 2020

This looks like the ones we just hit: dependency-check is getting confused by the versioning, and deciding that the rules that match the “milestone1” pre-release also apply to 1.4.0 (release).

Identifiers:
pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.4.0  (Confidence:Highest)
cpe:2.3:a:jetbrains:kotlin:1.4.0:milestone1:*:*:*:*:*:*  (Confidence:Highest)  suppress

etc.