CVE-2024-0057 in cyclonedx/cdxgen-deno:v10.11.0

[cmontemuino]

Our Trivy scan is reporting CVE-2024-0057.

Vulnerability information: 
+--------------------------------------------------------------------------------------------------------------+-------------------------+----------+-------------------+--------------------------------------------------+------------------------------------------------------------+-------------------------------------------+
|                                                     Type                                                     |         Library         | Severity | Installed Version |                  Fixed Version                   |                          Summary                           |                More Details               |
+--------------------------------------------------------------------------------------------------------------+-------------------------+----------+-------------------+--------------------------------------------------+------------------------------------------------------------+-------------------------------------------+
| usr/lib64/dotnet/sdk/8.0.110/Containers/tasks/net8.0/Microsoft.NET.Build.Containers.deps.json (dotnet-core)  | NuGet.Packaging (None)  | CRITICAL |   6.8.1-rc.32767  | 5.11.6, 6.0.6, 6.3.4, 6.4.3, 6.6.2, 6.7.1, 6.8.1 | dotnet: X509 Certificates - Validation Bypass across Azure | https://avd.aquasec.com/nvd/cve-2024-0057 |
|                        usr/lib64/dotnet/sdk/8.0.110/MSBuild.deps.json (dotnet-core)                          | NuGet.Packaging (None)  | CRITICAL |   6.8.1-rc.32767  | 5.11.6, 6.0.6, 6.3.4, 6.4.3, 6.6.2, 6.7.1, 6.8.1 | dotnet: X509 Certificates - Validation Bypass across Azure | https://avd.aquasec.com/nvd/cve-2024-0057 |
|                usr/lib64/dotnet/sdk/8.0.110/NuGet.CommandLine.XPlat.deps.json (dotnet-core)                  | NuGet.Packaging (None)  | CRITICAL |   6.8.1-rc.32767  | 5.11.6, 6.0.6, 6.3.4, 6.4.3, 6.6.2, 6.7.1, 6.8.1 | dotnet: X509 Certificates - Validation Bypass across Azure | https://avd.aquasec.com/nvd/cve-2024-0057 |
|                         usr/lib64/dotnet/sdk/8.0.110/dotnet.deps.json (dotnet-core)                          | NuGet.Packaging (None)  | CRITICAL |   6.8.1-rc.32767  | 5.11.6, 6.0.6, 6.3.4, 6.4.3, 6.6.2, 6.7.1, 6.8.1 | dotnet: X509 Certificates - Validation Bypass across Azure | https://avd.aquasec.com/nvd/cve-2024-0057 |
+--------------------------------------------------------------------------------------------------------------+-------------------------+----------+-------------------+--------------------------------------------------+------------------------------------------------------------+-------------------------------------------+
No allowlisted vulnerabilities 

[aryan-rajoria]

Thank you @cmontemuino, for clarification wanted to ask if 6.8.1-rc.32767 is affected version, since the scan has mentioned installed version as 6.8.1-rc.32767 and corresponding fixed version is 6.8.1.

Could you please share the result from dep-scan

[prabhu]

We bundle dotnet 8. Don't know why trivy is reporting incorrect versions, so feel free to file a defect in their repo.

In general, these reports are unnecessary. The docker images are automatically rebuilt every day, so there is nothing else we could do. The users are responsible for maintaining their own images.

[cmontemuino]

Hi @prabhu -- I couldn't really find where that dependency is coming from in this repo, so let's close the issue as false positive.