Prisma Compute : Why are vulnerabilities for a different jar Artifact ID show up on Scan report for ArtifactID that does not have the vulenarabilities?
744
Created On 04/27/23 01:53 AM - Last Modified 03/21/25 17:17 PM
Question
As per Maven for Log4j version 1.2.16 CVE-2022-23307 exists for artifactId log4j groupId log4j ,
but does not exist for artifactId com.springsource.org.apache.log4j groupId org.apache.log4j.
However, the Prisma Compute Scan report shows CVE-2022-23307 on the scan report for artifactId log4j.
Why does CVE from an affected ArtifactID get reported on ArtificatID that has the fix ?
Environment
- Prisma Cloud Compute
Answer
If the artifactID that has the fix is examined it has a dependancy to the artificatID that has the Vulnerability.
user1@node2:~$ jar tf com.springsource.org.apache.log4j-1.2.16.jar META-INF/ META-INF/MANIFEST.MF META-INF/LICENSE META-INF/NOTICE META-INF/maven/ META-INF/maven/log4j/ META-INF/maven/log4j/log4j/ META-INF/maven/log4j/log4j/pom.properties META-INF/maven/log4j/log4j/pom.xml
In the above case com.springsource.org.apache.log4j is the artifactID that does not have CVE-2022-23307 but still gets reported.
That is because artifactID log4j has the vulnerability and com.springsource.org.apache.log4j has the dependancy to it.
META-INF/maven/log4j/log4j/pom.properties >> is the dependancy.
artifactId log4j groupId log4j
Hence this is expected.