Skip to content
This repository was archived by the owner on Jan 7, 2026. It is now read-only.

doc(sonarqube): GHSA-m494-w24q-6f7w#25387

Merged
catmsred merged 1 commit intowolfi-dev:mainfrom
catmsred:sonarqube/GHSA-m494-w24q-6f7w
Nov 14, 2025
Merged

doc(sonarqube): GHSA-m494-w24q-6f7w#25387
catmsred merged 1 commit intowolfi-dev:mainfrom
catmsred:sonarqube/GHSA-m494-w24q-6f7w

Conversation

@catmsred
Copy link
Copy Markdown
Member

@catmsred catmsred commented Nov 13, 2025

False positive due to mssql-jdbc versioning structure similar to
#25255

Relates: https://github.com/chainguard-dev/CVE-Dashboard/issues/35920

@catmsred
doc(sonarqube): GHSA-m494-w24q-6f7w
f57318d 
False positive due to mssql-jdbc versioning structure similar to
wolfi-dev#25255

Relates: chainguard-dev/CVE-Dashboard#35920
@catmsred catmsred marked this pull request as ready for review November 13, 2025 19:19
jamie-albert
jamie-albert approved these changes Nov 14, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@jamie-albert jamie-albert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For false positives I need more info in the PR body to prove the investigation chain like:

  1. dependency fix version
  2. fix commit exists in tagged version:
  3. Which matches the version in wolfi main
  4. verified by dependency version detected as seen in the advisory file

@jamie-albert
Copy link
Copy Markdown
Member

jamie-albert commented Nov 14, 2025
edited
Loading

You can not use this here directly like this

False positive due to mssql-jdbc versioning structure similar to
#25255

because that PR has evidence in it for keycloak. This is sonarqube.

The cve scan result in the issue comments is not enough evidence alone to claim a false positive.

@catmsred catmsred added this pull request to the merge queue Nov 14, 2025
Merged via the queue into wolfi-dev:main with commit 18a8011 Nov 14, 2025
4 checks passed
@catmsred catmsred deleted the sonarqube/GHSA-m494-w24q-6f7w branch November 14, 2025 11:11
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@jamie-albert jamie-albert jamie-albert approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@catmsred @jamie-albert @cmwilson21