False Positives Reported by "OWASP Dependency Check"

Last modified by Frank Fock on 2024/05/25 20:46

SNMP4J libraries are currently (26 Apr 2018) reported as:

The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and earlier does not remove the varBind variable in a netsnmp_variable_list item when parsing of the SNMP PDU fails, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet.

CVSS:7.5
URL:CVE-2015-5621
CWE:CWE-19 Data Handling

It seems that the OWASP dependency check simply looks for the keyword "SNMP" in JAR and package names (which is part of SNMP4J). That is of course too simple and really bad quality. A bug report has been created at OWASP dependency check:  

https://github.com/jeremylong/DependencyCheck/issues/1248

False Positive!

SNMP4J and any related APIs (i.e. SNMP4J-Agent, SNMP4J-AgentX, SNMP4J-SMI-PRO, SNMP4J-Model, ...) have no dependencies to NET-SNMP and they do not have any code in common.