Incorrect vulnerability details for sonatype-2022-4070 (does not apply to yaml.v2)

[heyLu]

Vulnerability URL Provide the URL to the vulnerability. For example:

https://ossindex.sonatype.org/vulnerability/sonatype-2022-4070?component-type=golang&component-name=gopkg.in%2Fyaml.v2

Component URL Provide the URL to the component. For example:

https://ossindex.sonatype.org/component/pkg:golang/gopkg.in/yaml.v2

Description

This vulnerability does not apply to yaml.v2, only yaml.v3. This is visible both in the linked issue https://github.com/go-yaml/yaml/issues/665 and the related on at https://github.com/go-yaml/yaml/issues/666#issuecomment-1133337993 where it is described that the vulnerability was misattributed to yaml.v2.

[ken-duck]

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

[Lepidopteron]

Is there an update on this available?

[hallm4]

It would be great if this could be fixed.

[ken-duck]

Sorry for the delay. I am poking the team right now to see what is up.

[ken-duck]

This should have be resolved since Christmas. Closing.

Thanks for the heads up on the issue.