Package URl
pkg:maven/io.prometheus/simpleclient_tracer_otel@0.16.0
CPE
cpe:2.3:a:opentelemetry:opentelemetry:0.16.0:::::::*
CVE
CVE-2023-43810
ODC Integration
{"label" => "Maven Plugin"}
ODC Version
12.2.2
Description
These CVEs impacts only on "opentelemetry:opentelemetry" packages as per cpe provided by NVD. But tool is reporting it on "io.prometheus/simpleclient_tracer_otel" jars as well, which is wrong.
The simpleclient_tracer_otel-0.16.0 jar (io.prometheus:simpleclient_tracer_otel) is a Java Prometheus metrics library that provides OpenTelemetry span context supplier functionality. The dependency-check tool incorrectly matches this Java library against the CPE cpe:2.3:a:opentelemetry:opentelemetry:0.16.0 with Low confidence, which corresponds to the Python/Go OpenTelemetry project - a completely different product. The CVE affects Python OpenTelemetry autoinstrumentation (opentelemetry-instrumentation package), not the Java Prometheus simpleclient library.
From Dependency Check tool team, we need confirmation on these false positives. Could you please validate and confirm?
Package URl
pkg:maven/io.prometheus/simpleclient_tracer_otel@0.16.0
CPE
cpe:2.3:a:opentelemetry:opentelemetry:0.16.0:::::::*
CVE
CVE-2023-43810
ODC Integration
{"label" => "Maven Plugin"}
ODC Version
12.2.2
Description
These CVEs impacts only on "opentelemetry:opentelemetry" packages as per cpe provided by NVD. But tool is reporting it on "io.prometheus/simpleclient_tracer_otel" jars as well, which is wrong.
The simpleclient_tracer_otel-0.16.0 jar (io.prometheus:simpleclient_tracer_otel) is a Java Prometheus metrics library that provides OpenTelemetry span context supplier functionality. The dependency-check tool incorrectly matches this Java library against the CPE cpe:2.3:a:opentelemetry:opentelemetry:0.16.0 with Low confidence, which corresponds to the Python/Go OpenTelemetry project - a completely different product. The CVE affects Python OpenTelemetry autoinstrumentation (opentelemetry-instrumentation package), not the Java Prometheus simpleclient library.
From Dependency Check tool team, we need confirmation on these false positives. Could you please validate and confirm?