[FP]: Hadoop version (3.4.2) incorrectly identified as shaded dependency version (1.4.0)

[rogermortas]

Package URl

pkg:maven/org.apache.hadoop.thirdparty/hadoop-shaded-protobuf_3_25@1.4.0

CPE

cpe:2.3:a:apache:hadoop:1.4.0:*:*:*:*:*:*:*

CVE

CVE-2022-26612

ODC Integration

{"label" => "Maven Plugin"}

ODC Version

12.1.9

Description

The dependency is part of hadoop-client-runtime-3.4.2: hadoop-client-runtime-3.4.2.jar (shaded: org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_25:1.4.0)

This seems to be new behaviour since updating from ODC 12.1.8 to 12.1.9

There are also other CVEs reported but CVE-2022-26612 is CRITICAL (the others are HIGH or less) and the root cause of all seems to be the incorrect version

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.apache.hadoop.thirdparty</groupId>
   <artifactId>hadoop-shaded-protobuf_3_25</artifactId>
   <version>1.4.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #8223
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop-shaded-protobuf_3_25@.*$</packageUrl>
   <cpe>cpe:/a:apache:hadoop</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/20923954667

[chadlwilson]

Approved

If there are a number of the third party artifacts on that Maven group we probably need to craft a more generic suppression.

I suspect youll also need to submit one with the protobuf CPE as the versions won't match there and you'll probably still see CVEs for protobuf itself. And that one might be a more contentious debate.

[github-actions]

Suppress rule has been added to the generatedSuppressions branch.