[FP]: autohooks-plugin-black is detected as black, however they have transitive dependency
#6570
Comments
|
Error parsing package url: https://pypi.org/project/autohooks-plugin-black/. Error: Error: purl is missing the required "pkg" scheme component. Please correct the package URL - consider copying the package url from the HTML report. |
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8612043435 |
vmatyusGitHub
changed the title
autohooks-plugin-black is detected as black, but they have transitive dependencyautohooks-plugin-black is detected as black, however they have transitive dependency
|
Error parsing package url: https://pypi.org/project/autohooks-plugin-black/. Error: Error: purl is missing the required "pkg" scheme component. Please correct the package URL - consider copying the package url from the HTML report. |
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8612071108 |
github-actions
bot
added
pending more information
and removed
pending more information
labels
|
Error parsing package url: https://pypi.org/project/autohooks-plugin-black/. Error: Error: purl is missing the required "pkg" scheme component. Please correct the package URL - consider copying the package url from the HTML report. |
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8612099202 |
github-actions
bot
added
pending more information
and removed
pending more information
labels
|
Error parsing package url: https://pypi.org/project/autohooks-plugin-black/. Error: Error: purl is missing the required "pkg" scheme component. Please correct the package URL - consider copying the package url from the HTML report. |
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8612107239 |
|
This issue report triggered 7 workflow errors: https://github.com/jeremylong/DependencyCheck/actions/runs/8612107239 |
|
Our project uses ODC through Jenkins Plugin: https://plugins.jenkins.io/dependency-check-jenkins-plugin/ |
|
@vmatyusGitHub The workflow errors are because you copied a website URL for the package, rather that a packageURL for the packageURL field. The packageUrl will start with pkg: and can be found on the dependencyCheck report outputted by your scan. Same holds for the CPE |
Package URl
https://pypi.org/project/autohooks-plugin-black/
CPE
Unknown
CVE
CVE-2024-21503
ODC Integration
{"label"=>"CLI"}
ODC Version
8.4.2
Description
Dependency check reported CVE-2024-21503 in black, this way it is suggested to update to use version 24.3.0.
I made the update in the project, but dependency checker still reports a problem with black:23.10.0:
File Path /home/*/dependencies/site-packages/autohooks/plugins/black/__init__.pyI suspect because
autohooks-plugin-black = ">=23.10.0"in use.See package details in this comment: greenbone/autohooks#650 (comment)
I reported the issue to the project provider: greenbone/autohooks#650, but he is also confused why is this package vulnerable.
Turned out ODC sees
autohooks-plugin-blackas ablackimage. But they are two separate and transitive image. See comment here.The text was updated successfully, but these errors were encountered: