[FP]: Keycloak services for CVE-2021-3632

[edward9944]

Package URl

pkg:maven/org.keycloak/keycloak-ldap-federation@6.0.1

CPE

cpe:2.3:a:keycloak:keycloak:6.0.1:::::::, cpe:2.3:a:redhat:keycloak:6.0.1:::::::

CVE

CVE-2021-3632

ODC Integration

None

ODC Version

9.1.0

Description

Actual vulnerable component in Keycloak services

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.keycloak</groupId>
   <artifactId>keycloak-ldap-federation</artifactId>
   <version>6.0.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6672
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak-ldap-federation@.*$</packageUrl>
   <cpe>cpe:/a:keycloak:keycloak</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/9111779595

[aikebah]

It's part of the keycloak project

https://github.com/keycloak/keycloak/blob/main/federation/ldap/pom.xml

and as such will receive the exact same CPE from NIST NVD

We don't do submodule attribution for vulnerabilities listed in the NVD. If you'd like to have submodule attribution of CVEs you would have to resort to licensed SCA vulnerability scanners that have the means to build and maintain their own database of vulnerabilities versus libraries or accept the occasional false-positive because your used lib is a non-vulnerable subcomponent of a project that has vulnerabilities in the same version of some other component.