Closed lukaseder closed 2 years ago
ryandens
commented
2 years ago I encountered this as well - I'm glad this issue exists to help inform people of the false positive but it seems odd sonatype is flagging vulnerabilities without reaching out to maintainers or providing a justification.
ken-duck
commented
2 years ago Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.
This issue was deemed to be a false positive and removed some time ago. There is a multi-step research process; some things are automated and some are not. In cases where there has been additional research we are working on providing additional research to the free users that will include more references and more detailed (human written) explanations. We cannot provide the full sum of our manual research in the free products, but rest assured the OSS Index team is working on exposing as much as we are able.
Vulnerability URL Provide the URL to the vulnerability. For example:
Component URL Provide the URL to the component. For example:
Description The "vulnerability" is just listing a few XML export bugs, which have no impact on security. They also list a completely unrelated bug that doesn't even have anything to do with XML.
I wonder how this "vulnerability" came to be. Some automation false positive? I think such vulnerability reports should at least have some description about why a researcher thought this was going to be a risk.