False positive reported vulnerability #2259
Comments
|
Hey @manuel-sommer, thanks for reporting! What does the Analyzer column of the table in your screenshot say? If it says OSS Index, then it was reported an external source and DT can't do anything about it. It seems like OSS Index previously reported CVE-2022-34264 (OSSIndex/vulns#332), but it doesn't anymore. |
|
Hey @nscuro , yeah it says "OSS Index". |
|
In 4.7.0 there will be a "Reanalyze" button in the project view which could be used to reanalyze. If OSSIndex no longer reports the vulnerability it should disappear, although I am not sure if DT actually removes vulnerabilities that are no longer reported or only adds new ones when applicable. A quick look at the code seems to indicate no longer attributed vulnerabilities are not (yet) removed. |
Correct. Instead of removing those vulns, automatically suppressing them and / or labeling them as The limitation is currently that multiple sources may report such a vulnerability, but only the first of them to report it is captured in the |
Current Behavior
DependencyTrack reports a false positive CVE as the version from NVD is not compared in the right way. If you upload the following cyclonedx file to DependencyTrack 4.5.0, DependencyTrack will report a vulnerability which was fixed in 4.0.6. However, the version in the cyclonedx file is 4.1.3.
See screenshot and cyclonedx file.
cyclonedx.zip
Steps to Reproduce
Expected Behavior
CVE-34265 is not reported in DependencyTrack.
Dependency-Track Version
4.5.x
Dependency-Track Distribution
Container Image
Database Server
N/A
Database Server Version
No response
Browser
Google Chrome
Checklist
The text was updated successfully, but these errors were encountered: