Closed msymons closed 2 years ago
I'm running into this as well, and found https://github.com/h2database/h2database/issues/3547, in addition to https://github.com/h2database/h2database/issues/3552, which @msymons reported.
This is the second significant false positive I've encountered in only 2 days, and by significant, I mean that skilled security researchers would have identified the false positives as such?
Given the ubiquitous usage of Sonatype for OSS infrastructure, I hope these kinds of (automated, I suspect?) false positives will be addressed very soon:
Thanks for bringing this to our attention! We have reviewed the issue and removed sonatype-2020-1324 from our security data.
Please do feel free to let us know if you need anything else!
Best, Ax Sharma Sonatype
Please do feel free to let us know if you need anything else!
Perhaps a new version of the API that would be able to reflect that an advisory has been withdrawn? The ability of the API to provide a last-updated timestamp?
The problem with simply removing something like sonatype-2020-1324
from data is that the old data still "pollutes" downstream systems... with no formal mechanism in the API to keep things properly updated.
Noted, thanks again for the feedback - taking it to our product teams.
An internal feature request has been created for your feature:
Perhaps a new version of the API that would be able to reflect that an advisory has been withdrawn? The ability of the API to provide a last-updated timestamp?
As this is a fairly major change in the data pipeline I cannot comment on where it would fit on the roadmap, but I do like the idea so will try and champion it and/or find an alternative way to make it happen.
Vulnerability URL
Component URL Latest version of h2 (as of June 20 2022) reports the vulnerability, as do all earlier versions.
Description sonatype-2020-1324 is based on a blogpost from Code White:
https://codewhitesec.blogspot.com/2019/08/exploit-h2-database-native-libraries-jni.html
I reported this to the h2 project and they have provided a detailed explanation of why this is NOT a vulnerability:
https://github.com/h2database/h2database/issues/3552