Components which are not having any vulnerabilities is showing as vulnerable component with CVE's in Dependency Track 4.12.1 #4468
Comments
|
Still seeing similar with pandas as well, ref: #3267 |
|
Vulns may still pop if the plugin only checks the version in use, so if you've forked the plugin will pop even if the vulnerability is somehow not present - it still sees the affected version. I only looked at the first one, for Pimcore, but that plugin is a version check.Check out the others for same. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current Behavior
Components which are not having any vulnerabilities is showing as vulnerable component with CVE's in Dependency Track 4.12.1.
Example:
Name: @react-leaflet/core
Version : 2.1.0
Purl: pkg:npm/%40react-leaflet/[email protected]
Attached is the list of CVE shown by DT for the above Example component
Steps to Reproduce
1.Create the component and provide the purl as given above
2.Check for vulnerabilities it shows 10 vulnerabilities
3.checked the component and version in other vulnerability sources but they show no vulnerability ( Synk)
Expected Behavior
1.Only the current vulnerability showed be shown.
2.Historical vulnerabilities should not be shown.
Dependency-Track Version
4.12.1
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
12
Browser
Google Chrome
Checklist
The text was updated successfully, but these errors were encountered: