Bug: CVE-2019-20478 false positive on latest version of ruamel.yaml

[gcradden]

The CVE page says this only affects versions up to 0.16.7 of ruamel.yaml https://nvd.nist.gov/vuln/detail/CVE-2019-20478 But the Python ossaudit tool is reporting it on version 0.17.21.

[ken-duck]

Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

[ken-duck]

Sonatype deep dive researchers have verified our data and the vulnerable portion of code is still present in the latest release (v0.17.21). A deprecation message has been added but the default behavior is vulnerable.

This is important to note, because although a deprecated API might be obvious in your IDE while developing, one of your dependencies might themselves be using the deprecated APIs and you would be none the wiser.

We are working on an OSS Index feature whereby "deviation" notices explaining why OSS Index has deviated from the CVE data will be made available.