Is there a wrong message about "Microsoft.IdentityModel:7.0.0"?

[NPC-RX]

Vulnerability URL

https://ossindex.sonatype.org/vulnerability/CVE-2019-1006?component-type=nuget&component-name=Microsoft.IdentityModel

Component URL

https://ossindex.sonatype.org/component/pkg:nuget/Microsoft.IdentityModel@7.0.0

Description Dependency-check reported a CVE-2019-1006 problem with Microsoft.IdentityModel.dll in my code. I have upgraded this DLL to the latest version 7.0.0, but it is still reported the CVE-2019-1006. There is only a 7.0.0 version of this DLL on Nuget. The Nuget link in Microsoft's Advisory description also recommends upgrading to 7.0.0. Dependency check feedback to me that their data source is from OSSINDEX, is this a wrong message for OSSINDEX? https://github.com/jeremylong/DependencyCheck/issues/4603

[ken-duck]

Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

[ken-duck]

Fixed: https://ossindex.sonatype.org/component/pkg:nuget/Microsoft.IdentityModel@7.0.0