DT attributes CVE-2022-48174 to the component pkg:apk/alpine/busybox@1.36.1-r18?arch=x86_64&distro=3.19.1 although the vulnerability has already been resolved in the earlier package version 1.36.1-r2:
The root cause of this issue appears to be DT's sorting methodology. Instead of a numerical sort, the application is performing a lexical sort on version identifiers, mistakenly interpreting the version 1.36.1-r18 as an earlier, and thus vulnerable, release compared to 1.36.1-r2.
Steps to Reproduce
Ensure that Google OSV advisory mirroring is enabled.
Create a new project.
In the newly created project, create a new component with the following purl: pkg:apk/alpine/busybox@1.36.1-r18?arch=x86_64&distro=3.19.1.
Check whether CVE-2022-48174 has been attributed to the newly created component.
Expected Behavior
CVE-2022-48174 should not be attributed to the newly created component.
nscuro
commented
1 month ago
Current Behavior
DT attributes CVE-2022-48174 to the component
pkg:apk/alpine/busybox@1.36.1-r18?arch=x86_64&distro=3.19.1although the vulnerability has already been resolved in the earlier package version1.36.1-r2:The root cause of this issue appears to be DT's sorting methodology. Instead of a numerical sort, the application is performing a lexical sort on version identifiers, mistakenly interpreting the version
1.36.1-r18as an earlier, and thus vulnerable, release compared to1.36.1-r2.Steps to Reproduce
pkg:apk/alpine/busybox@1.36.1-r18?arch=x86_64&distro=3.19.1.Expected Behavior
CVE-2022-48174 should not be attributed to the newly created component.
Dependency-Track Version
4.11.3
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
15.5
Browser
Microsoft Edge
Checklist