-
-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False-Positive: CVE-2021-39913 #286
Comments
It's matching gitlab:gitlab. We recently added an exclusion to match numpy:numpy for python. Since gitlab itself is developed in ruby, this list is acceptable for |
This commit trims some false positives using |
On vdb6, it works fine since no aliases are involved.
|
I can't run this way:) vulnerability-db-6.0.1/vdb$ python cli.py --search "pkg:pypi/gitlab@1.0.2" Traceback (most recent call last): File "/home/user/Desktop/Programs/vulnerability-db-6.0.1/vdb/cli.py", line 15, in <module> from vdb.lib import config, db6 as db_lib, search ImportError: cannot import name 'db6' from 'vdb.lib' (/home/user/.local/lib/python3.10/site-packages/vdb/lib/__init__.py) When try to install dependencies: $ poetry install [tool.poetry] section not found in /home/user/Desktop/Programs/vulnerability-db-6.0.1/pyproject.toml |
@almaz045, use the pypi version
|
$ vdb --search "pkg:pypi/gitlab@1.0.2" ___ /\ ._ ._ | |_ ._ _ _. _|_ /--\ |_) |_) | | | | (/_ (_| |_ | | VDB Results ┏━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━┓ ┃ CVE ┃ Locator ┃ Description ┃ ┡━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━┩ └─────┴─────────┴─────────────┘ Now it works well. Now I need to update vdb to 5.6.7 to avoid the previously noted FPs or does this only work for 6.0.1? |
@almaz045, 5.6.7 trims down a bit but not a lot. 6.0.1 will be used by depscan v6 which might reduce the false positives a bit more. The fundamental issue we are dealing with is the need for aliases to match the NVD data which surprisingly has correct information for a few CVEs that are missed by both OSV and GHSA. These aliases are also resulting in false positives. |
PURL of wrongly matched component
pkg:pypi/gitlab@1.0.2
Depscan findings
P.S. the latest version of pypi/gitlab is 1.0.2 (https://pypi.org/project/gitlab/1.0.2/#history). But depscan thinks that this pypi package == gitlab version, but it is just a pypi package version, which we can't directly map to the gitlab version.
The text was updated successfully, but these errors were encountered: