Description
We have some strange data in VCIO for pkg:maven/org.apache.activemq/[email protected]. There are currently 4 VCIDS for this package:
VCID-h1ua-8jbg-aaag
VCID-ngge-wjjg-aaas
VCID-ra92-t3ms-aaaa
VCID-wcbb-1nm4-aaab
The data for VCID-wcbb-1nm4-aaab looks normal with an immediate fix: pkg:maven/org.apache.activemq/[email protected]
The other 3 are weird because the vulnerabilities are reported for ActiveMQ version 5.x, but ActiveMQ Artemis is at version 2.38 latest. According to https://activemq.apache.org/, "There are currently two "flavors" of ActiveMQ available - the well-known "classic" broker and the "next generation" broker code-named Artemis. Once Artemis reaches a sufficient level of feature parity with the "Classic" code-base it will become the next major version of ActiveMQ." So these seem to be distinctly different packages.
From looking at the NVD/CVE data I see that:
The CPE for VCID-wcbb-1nm4-aaab is: cpe:2.3:a:apache:activemq_artemis:::::::: - but -
The CPE for the other three is: cpe:2.3:a:apache:activemq::::::::.
For the latter 3 cases the CVE data refers to v5.x
From looking at the GHSA data I see references to more specific ActiveMQ (Classic) packages:
org.apache.activemq:apache-activemq < 5.16.6 >= 5.17.0, < 5.17.4
org.apache.activemq:activemq-parent >= 5.16.0, < 5.16.1 < 5.15.14
org.apache.activemq:activemq-client / org.apache.activemq:activemq-openwire-legacy
My take is that the three VCIDs that refer to ActiveMQ (Classic) v5.x are false positives based on a generic CPE without versions.
There are 2 follow-up items:
- Do we have a bug in data collection?
- How do we fix false positives like this?