-
Bug
-
Resolution: Not A Defect
-
Critical
-
Jenkins 2.319.1
Ubuntu 18.04.6
I have a project with a vulnerable log4j 2 jar. The dependency check Jenkins plugin report does not contain the finding CVE-2021-44228.
I ran the standalone dependency check on the command line and it finds the vulnerability.
I've ensured Jenkins is using the latest dependency check version and NVD files.
Other vulnerable jar files are being found and detected but not this one.
[JENKINS-67364] Not finding CVE-2021-44228
Frank Conover
added a comment - The CVE is now being reported.
I'm not sure what caused the delay but it appears the plugin works as expected.
Frank Conover
added a comment - The CVE is now being reported.
I'm not sure what caused the delay but it appears the plugin works as expected. Frank Conover
added a comment - Plugin works as expected.
There must be a delay on the NIST end in updating the data feeds because the second log4j vulnerability isn't yet being reported by the plugin.
Frank Conover
added a comment - Plugin works as expected.
There must be a delay on the NIST end in updating the data feeds because the second log4j vulnerability isn't yet being reported by the plugin. 
Maybe the GUI isn't showing everything that is in the XML report?
I'm not sure how to follow it but I found this for log4j.
<identifiers>
<package confidence="HIGH">
<id>pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1</id>
</package>
<vulnerabilityIds confidence="HIGHEST">
<id>cpe:2.3:a:apache:log4j:2.14.1:::::::*</id>
<url>https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Alog4j&cpe_version=cpe%3A%2F%3Aapache%3Alog4j%3A2.14.1</url>
</vulnerabilityIds>
</identifiers>