JaspeReport vulnerability was not detected


#1

Hi,

There is a vulnerability in Jasper report library for version before 6.4.3
It’s described here: NVD - CVE-2018-5429

For some reasons DepSheild have not found it in a project with the following dependency:
<dependency>
<groupId>net.sf.jasperreports</groupId>
<artifactId>jasperreports</artifactId>
<version>4.0.2</version>
</dependency>

Have anyone experienced that?

Thanks, Igor


#2

Hi Igor,

OSS Index is Sonatype’s free source of open source security information that is derived from automation and does not include human curation. For this particular project, the CPE in the CVE [0] does not match the GAV and in fact deviates from other CPEs used by that project. As such it was not picked up for OSS Index. We verified with our Nexus Intelligence database that CVE-2018-5429 does affect net.sf.jasperreports:jasperreports and in fact the CPE in question is associated with that artifact. As such we have associated the two in our automated pipeline and this and all subsequent vulnerabilities associated with that CPE should be reported in OSS Index.

Thanks for the question,
Justin

[0] (cpe:2.3:a:tibco:jasperreports_library)


#3

Great, thank you Justin!