[FP]: lodash: 4.17.21 identified as vulnerable multiple cve's #6414
Comments
|
Error parsing package url: https://ossindex.sonatype.org/component/pkg:npm/lodash@0px. Error: Error: purl is missing the required "pkg" scheme component. Please correct the package URL - consider copying the package url from the HTML report. |
|
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/7612404195 |
|
I tried the following:
But fail to reproduce. Based on the URL towards OSSIndex that you quote you suffer from a mangled lodash package that gets identified as lodash version 0px. My run properly shows lodash as lodash v4.17.21 and surfaces no FPs |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Package URl
https://ossindex.sonatype.org/component/pkg:npm/lodash@0px
CPE
pkg:javascript/lodash@0px
CVE
CVE-2019-10744 CVE-2021-23337 CVE-2018-3721 CVE-2019-1010266 CVE-2018-16487 CVE-2020-28500
ODC Integration
{"label"=>"CLI"}
ODC Version
9.0.9
Description
Versions of lodash lower than 4.17.12 have the following cve's:
CVE-2019-10744
CVE-2021-23337
CVE-2018-3721
CVE-2019-1010266
CVE-2018-16487
CVE-2020-28500
But they are also flagged for lodash: 4.17.21
The text was updated successfully, but these errors were encountered: