Bug: https://ossindex.sonatype.org/vulnerability/CVE-2020-36204 (Incorrect vulnerability details)

[janpio]

Vulnerability URL Provide the URL to the vulnerability. For example:

https://ossindex.sonatype.org/vulnerability/CVE-2020-36204

Component URL Provide the URL to the component. For example:

https://ossindex.sonatype.org/component/pkg:cargo/im

Description cargo pants (which uses this dataset) is outputting the above vulnerability for version 15.1.0 of the im crate:

Vulnerable Dependencies

[1/1] pkg:cargo/im@15.1.0
1 known vulnerability found

Vulnerability Title: [CVE-2020-36204] CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
╭─────────────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ ID          │ CVE-2020-36204                                                                                                                                                    │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Description │ An issue was discovered in the im crate through 2020-11-09 for Rust. Because TreeFocus does not have bounds on its Send trait or Sync trait, a data race can occu │
│             │ r.                                                                                                                                                                │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ CVSS Score  │ 4.7                                                                                                                                                               │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ CVSS Vector │ CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H                                                                                                                      │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Reference   │ https://ossindex.sonatype.org/vulnerability/CVE-2020-36204?component-type=cargo&component-name=im&utm_source=cargo-pants&utm_medium=integration&utm_content=0.4.7 │
╰─────────────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯

Inverse Dependency graph
im 15.1.0 (registry+https://github.com/rust-lang/crates.io-index)
...

• But per the Rustsec advisory, this is fixed in >=15.1.0 (which includs 15.1.0 of course): https://rustsec.org/advisories/RUSTSEC-2020-0096.html
• The issue on the im GitHub repo also confirms this: https://github.com/bodil/im-rs/issues/157 + https://github.com/bodil/im-rs/releases/tag/v15.1.0 (15.1.0 is also the latest release available).

I think your dataset should not report 15.1.0 as vulnerable. Thanks.

PS: FYI, the instructions in your main README and your issue template default subject do not match - I am not super sure I named this issue exactly how it should be named. Please let me know if I should fix something. PPS: Going from the vulnerability to the component was surprisingly different without prior knowledge of your system. I hope I figured that out correctly as well.

[janpio]

Hello? Anything I can do to get this noticed? Can I even see the raw information on the website that cargo pants is using to double check if this was fixed already somehow?

[ken-duck]

Sorry for the delay. We are still working on developing processes to handle issues, and I have been away for a while (catching up now)!

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

As per the new process you should start to see SIGNIFICANTLY faster response times.

[janpio]

Any update here?

[ken-duck]

Very sorry for the delay. You should have seen the issue resolved sometime in the last several months for a couple reasons:

1. We moved from the old OSS Index database to a new database with a much larger research team and significantly more vulnerabilities
2. The researchers for that new database fixed that issue quite some time ago

Now that we are on the newer database you should see significantly faster progress on issue and many more vulnerabilities. In addition, if you raise future issues through email at ossindex@sonatype.org you will find more rapid response as that is now being actively monitored by a team to ensure resolutions happen at a reasonable pace.