Open rajatkumardev opened 1 year ago
Are there any occurrences where a CNA, often times a software vendor themselves, rejected the CVE themselves?
For implementation, I think it would be best if this was a configurable option. We can exclude them by default, but if an org wants them enabled for some reason, the platform should provide that.
Are there any occurrences where a CNA, often times a software vendor themselves, rejected the CVE themselves?
For implementation, I think it would be best if this was a configurable option. We can exclude them by default, but if an org wants them enabled for some reason, the platform should provide that.
Agree 👍
This seems to be a duplicate of #1693.
I believe that, however DT handles such vulns, it should be in a way that has VEX as a basis. Thus, I logged logged https://github.com/CycloneDX/specification/issues/168 to request an enhancement to the CycloneDX specification for VEX.
Current Behavior
This is screen shot form a project as of today
And this is rejected on NVD https://nvd.nist.gov/vuln/detail/CVE-2022-41852 https://nvd.nist.gov/vuln/detail/CVE-2022-40157
Steps to Reproduce
1.Showing Rejected vulnerabilities in DependencyTrack
Expected Behavior
Should not display it as vulnerable
Dependency-Track Version
4.5.x
Dependency-Track Distribution
Container Image
Database Server
Microsoft SQL Server
Database Server Version
No response
Browser
Google Chrome
Checklist