[FP]: Elastic APM Agent(s) detected as Elastic Agent

[OrangeDog]

Package URl

pkg:maven/co.elastic.apm/apm-agent-api@1.55.6

CPE

cpe:2.3:a:elastic:elastic_agent:1.55.6:::::::*

CVE

CVE-2023-46669

ODC Integration

{"label" => "Maven Plugin"}

ODC Version

12.2.2

Description

NVD have just added a new CPE elastic:elastic_agent for Elastic Agent, causing a raft of new FPs for Elastic APM Agent components.

More examples:

apm-agent-api-1.55.6.jar (pkg:maven/co.elastic.apm/apm-agent-api@1.55.6, cpe:2.3:a:elastic:apm_agent:1.55.6:*:*:*:*:*:*:*, cpe:2.3:a:elastic:apm_java_agent:1.55.6:*:*:*:*:*:*:*, cpe:2.3:a:elastic:elastic_agent:1.55.6:*:*:*:*:*:*:*) : CVE-2024-52976, CVE-2023-46669
apm-agent-attach-1.55.6.jar\META-INF/maven/co.elastic.apm/apm-agent-common/pom.xml (pkg:maven/co.elastic.apm/apm-agent-common@1.55.6, cpe:2.3:a:elastic:apm_agent:1.55.6:*:*:*:*:*:*:*, cpe:2.3:a:elastic:apm_java_agent:1.55.6:*:*:*:*:*:*:*, cpe:2.3:a:elastic:elastic_agent:1.55.6:*:*:*:*:*:*:*) : CVE-2024-52976, CVE-2023-46669
apm-agent-attach-1.55.6.jar: elastic-apm-agent.jar\META-INF/maven/co.elastic.apm/elastic-apm-agent-premain/pom.xml (pkg:maven/co.elastic.apm/elastic-apm-agent-premain@1.55.6, cpe:2.3:a:elastic:apm_agent:1.55.6:*:*:*:*:*:*:*, cpe:2.3:a:elastic:apm_java_agent:1.55.6:*:*:*:*:*:*:*, cpe:2.3:a:elastic:elastic_agent:1.55.6:*:*:*:*:*:*:*) : CVE-2024-52976, CVE-2019-7617, CVE-2023-46669
apm-agent-attach-1.55.6.jar: elastic-apm-agent.jar (pkg:maven/co.elastic.apm/elastic-apm-agent@1.55.6, cpe:2.3:a:elastic:apm_agent:1.55.6:*:*:*:*:*:*:*, cpe:2.3:a:elastic:apm_java_agent:1.55.6:*:*:*:*:*:*:*, cpe:2.3:a:elastic:elastic_agent:1.55.6:*:*:*:*:*:*:*) : CVE-2024-52976, CVE-2019-7617, CVE-2023-46669

[github-actions]

Maven Coordinates

<dependency>
  <groupId>co.elastic.apm</groupId>
  <artifactId>apm-agent-api</artifactId>
  <version>1.55.6</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8529
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/co\.elastic\.apm/apm-agent-api@.*$</packageUrl>
    <cpe>cpe:/a:elastic:elastic_agent:</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/26172816074

[OrangeDog]

Hang on a minute, this should already be covered by this suppression. I'm not sure what's changed today to suddenly make all these show up.

[chadlwilson]

See #8525 (regression in hosted suppression rule - my bad)

[chadlwilson]

Sorry about this. Wrangling hundreds of XML suppressions across two branches using regex with zero automated testing is a nightmare, to put it mildly.

If you follow through the chain of PRs, the attempt is to make things consistent and reduce the false negatives caused by naive string prefix matching of CPEs as is the current default, but is dangerous. (E.g attempt to suppress something for elastic server CPE will end up suppressing for elastic_agent as well)