Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

False positive on slf4j-api:1.8.0-beta2

See original GitHub issue

False positive on library slf4j-api:1.8.0-beta2.jar - reported as cpe:/a:slf4j:slf4j:1.8.0.beta

<dependency>
   <groupId>org.slf4j</groupId>
   <artifactId>slf4j-api</artifactId>
   <version>1.8.0-beta2</version>
</dependency>

The issue (CVE-2018-8088) has been resolved in 1.8.0-beta2, but dependency-check still flags the jar as vulnerable.

Issue Analytics

State:
Created 5 years ago
Reactions:1
Comments:11 (6 by maintainers)

Top GitHub Comments

3reactions

pmehtaupgradecommented, Jan 3, 2019

I see the same issue as @eyecats mentioned. Even though we don’t use slf4j-ext, OWASP dep-check reports CVE-2018-8088 for following libraries: jcl-over-slf4j-1.7.25.jar, jul-to-slf4j-1.7.25.jar, log4j-over-slf4j-1.7.25.jar, slf4j-api-1.7.25.jar. Appears to be false positive, as others noted above. Please add a comment, if someone noticed anything different with respect to above libraries.

2reactions

stepiocommented, Jan 8, 2019

@reddyalready

But your link says that issue was in slf4j-ext, while in this ticket slf4j-api is discussed. So… What about marking the whole slf4j-api as false positive, not just 1.8.0-beta2 ?

Top Results From Across the Web

False-Positive TST Reactions - CDC

Several factors can lead to false-positive and false-negative skin test reactions. False-positive reactions may be caused by. •Nontuberculous mycobacteria.