Hi Dennis, I checked a few of the more recent CVEs and they don't have that exclusion pattern. Do you have a link to a CVE with the XJC exclusion? For now at least we could mail NIST and ask them to update the pattern for any CVEs that don't have the exclusion pattern.
Colm. On Mon, Nov 2, 2020 at 7:56 PM Dennis Kieselhorst <[email protected]> wrote: > > https://nvd.nist.gov/vuln/detail/CVE-2019-12419 marks all the cxf > artifacts > > (cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*) as vulnerable - hence: > > * cxf-xjc-runtime-3.3.1.jar > > * cxf-xjc-ts-3.1.0.jar > > > > gets marked as vulnerable - even though these are the latest version and > > unrelated to the issue - is there any way to get this fixed in the CVE? > Are > > you planning on newer versions? > > If these were released with the same version as CXF the problem could be > > avoided (we always run with the latest patch-level). > > > > Any thoughts? > > > Hmm in the past I emailed [email protected] and they fixed the pattern. Do > you have a working proposal already? > > Best > > Dennis > >
