-
|
Hi, we're dependent on a library that uses Jose 2.0.6, and security scanning software is popping these three CVEs. The version flag is <3.11.4, which will defacto include all of 2.x.x, so I'm thinking this is a false positive given 2.0.6 was published after 3.11.4, but wanted to check and get it sorted out. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
|
Your security scanning is wrong. Those three CVEs are not for the "jose" library but for runtime specific packages. 2.0.6 is fine. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks. It may be worth trying to update the CPEs to prevent this from being flagged by scanning software. It looks like the package name isn't correct.
|
Beta Was this translation helpful? Give feedback.
-
|
Never mind, I can see you've done that here: The NVD listing is not using the right information. |
Beta Was this translation helpful? Give feedback.
-
|
I sent NVD a request to update their CPEs. |
Beta Was this translation helpful? Give feedback.
-
|
NVD has updated their CPEs. The false positive should stop showing up as scanning tools update their databases. https://nvd.nist.gov/vuln/detail/CVE-2021-29446 |
Beta Was this translation helpful? Give feedback.
-
|
Amazing. Thank you! |
Beta Was this translation helpful? Give feedback.
Your security scanning is wrong. Those three CVEs are not for the "jose" library but for runtime specific packages. 2.0.6 is fine.