Skip to content

[FP]: Wrongly reporting vulnerability CVE-2023-43810, CVE-2023-45142, CVE-2023-47108 on simpleclient_tracer_otel-0.16.0 #8518

Description

@prabutdr

Package URl

pkg:maven/io.prometheus/simpleclient_tracer_otel@0.16.0

CPE

cpe:2.3:a:opentelemetry:opentelemetry:0.16.0:::::::*

CVE

CVE-2023-43810

ODC Integration

{"label" => "Maven Plugin"}

ODC Version

12.2.2

Description

These CVEs impacts only on "opentelemetry:opentelemetry" packages as per cpe provided by NVD. But tool is reporting it on "io.prometheus/simpleclient_tracer_otel" jars as well, which is wrong.

The simpleclient_tracer_otel-0.16.0 jar (io.prometheus:simpleclient_tracer_otel) is a Java Prometheus metrics library that provides OpenTelemetry span context supplier functionality. The dependency-check tool incorrectly matches this Java library against the CPE cpe:2.3:a:opentelemetry:opentelemetry:0.16.0 with Low confidence, which corresponds to the Python/Go OpenTelemetry project - a completely different product. The CVE affects Python OpenTelemetry autoinstrumentation (opentelemetry-instrumentation package), not the Java Prometheus simpleclient library.

From Dependency Check tool team, we need confirmation on these false positives. Could you please validate and confirm?

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions