False positive CVE reported for Pypi package ansible-core

OSSIndex / vulns

Report missing advisories and corrections on OSS Index

17 stars 12 forks source link

False positive CVE reported for Pypi package ansible-core #323

Closed p3pijn closed 1 year ago

p3pijn commented 1 year ago

Vulnerability URL

https://ossindex.sonatype.org/vulnerability/CVE-2022-2568?component-type=pypi&component-name=ansible-core

Component URL

https://ossindex.sonatype.org/component/pkg:pypi/ansible-core@2.13.3

Description CVE-2022-2568 should not be reported for Pypi package ansible-core. The CPEs in NVD are linked to Ansible Automation Platform and not to this Pypi package.

janlaan commented 1 year ago

Similar issue for another CVE within the same package in #311

ken-duck commented 1 year ago

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

ken-duck commented 1 year ago

I am at long last cleaning up and closing issues from our tracking system. You may have already noticed that the issue was resolved at some point. From our research team:

The CPE codes are notoriously unreliable. We completed "Deep Dive" research on it at some point since this was submitted so we're now implicating the correct coordinate, which in this case was actually galaxy-ng.