Skip to content
This repository has been archived by the owner on Jan 19, 2023. It is now read-only.

Incorrect vulnerability details #305

Closed
martin-traverse opened this issue Jul 1, 2022 · 3 comments
Closed

Incorrect vulnerability details #305

martin-traverse opened this issue Jul 1, 2022 · 3 comments
Labels
bug Something isn't working

Comments

@martin-traverse
Copy link

Vulnerability URL

https://ossindex.sonatype.org/vulnerability/CVE-2022-25878?component-type=npm&component-name=protobufjs

Component URL

https://ossindex.sonatype.org/component/pkg:npm/protobufjs@6.11.3?utm_source=dependency-check&utm_medium=integration&utm_content=7.1.1

Description

This issue is fixed in protobufjsl 6.11.3, from 6.11.2. The vulnerability explicitly states so, and there is a commit here:

protobufjs/protobuf.js#1731

However, component version 6.11.3 is still flagged as having this vulnerability, and there is not yet a later version available.

Please can the component be updated so version 6.11.3 does not report this vulnerability? Alternatively, if there is still an issue, we'd need to update the vulnerability and report it to the package maintainer.

Hope this makes sense, apologies if I've missed something!
@martin-traverse martin-traverse added the bug Something isn't working label Jul 1, 2022
martin-traverse added a commit to martin-traverse/tracdap that referenced this issue Jul 1, 2022
@martin-traverse
Add false positive for CVE-2022-25878 in protobufjs 6.11.3
979df5f 
OSSIndex/vulns#305
martin-traverse added a commit to finos/tracdap that referenced this issue Jul 1, 2022
@martin-traverse
Fix vulnerable dependencies in web API package (#153)
ef06176 
* Update to owasp dep check 0.0.19, fixes dependency vulnerabilities

* Remove omit=dev from npm audit compliance check, now owasp dep check dependencies are fixed

* Latest package lock file for web api

* Add false positive for CVE-2022-25878 in protobufjs 6.11.3
OSSIndex/vulns#305

* Allow WTFPL in allowed licenses for the web API
(used by dependency of OWASP dep check, considered a permissive license)

* False positives for vulnerabilities in AWS hotpatch for Log4j
(we are not using AWS hotpatch)

* False positives for vulnerabilities in AWS hotpatch for Log4j
(we are not using AWS hotpatch)
@ken-duck
Copy link
Contributor

Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

@ken-duck
Copy link
Contributor

I just heard back. We have additional information from the researchers on this issue:

The Sonatype security research team discovered that the fix for this vulnerability was actually introduced in source files instead of distribution files. The fix should be fully released on the 6.12.0 version. Reference. Also, we discovered that this vulnerability was introduced in version 6.10.0-beta.1 and therefore does not affect all versions prior to version 6.11.3 as stated by the advisory.

We are working on a feature to surface researcher comments when appropriate.

@martin-traverse
Copy link
Author

Thanks for the update, much appreciated. I see protobufjs have now released a new major version as well:

https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.0.0

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@martin-traverse @ken-duck