StephenCleary
commented
2 years ago Yes, that's definitely a false positive. It's searching for a "Tasks" application which has a bug fixed in 9.7.3.
This library is Nito.AsyncEx.Tasks, which has nothing to do with that "Tasks" application, and has never had a version that high. :)
Marvin-Brouwer
Hi,
I've been using your library for an application that goes through OWASP dependency check every CI-run and your library pops up from time to time.
I've mostly been suppressing issues since we don't have an alternative and this tool is known for having a lot of false positives.
However, I thought it might be of use for you to know about this so you can address these "violations" and perhaps file a ticket with OWASP if it's actually a false positive. Or fix it if it's actually a vulnerability.
Version used:
Nito.AsyncEx.Tasks@5.1.2=>Nito.AsyncEx.Tasks@5.1.2Application runtime:netcore_3_1We only save the HTML version so I'll try to copy the report as secure as I can:
Nito.AsyncEx.Tasks.dll
Description:
Nito.AsyncEx.Tasks
Common helper methods for tasks as used in asynchronous programming. File Path: D:\a\1\s\src{OMMITTED}\bin\Release\netcoreapp3.1\Nito.AsyncEx.Tasks.dll MD5: {OMMITTED} SHA1: {OMMITTED} SHA256:{OMMITTED}
Evidence
Related Dependencies
Identifiers
pkg:generic/Nito.AsyncEx.Tasks@5.1.2(Confidence:Medium)cpe:2.3\:a:tasks:tasks:5.1.2:*:*:*:*:*:*:*(Confidence:Low)Published Vulnerabilities
CVE-2020-22475"Tasks" application version before 9.7.3 is affected by insecure permissions. The VoiceCommandActivity application component allows arbitrary applications on a device to add tasks with no restrictions.
CWE-276 Incorrect Default Permissions
CVSSv2:
/AV:L/AC:L/Au:N/C:P/I:P/A:PCVSSv3:
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences:
Vulnerable Software & Versions:
cpe:2.3:a:tasks:tasks:*:*:*:*:*:*:*:* versions up to (excluding) 9.7.3I realize not all the URLs result in a working page, that's how I got the report. I also have to confess that I don't really grasp what all of this means myself since they don't really provide any examples on what the code is vulnerable to.
That being said, I think the following line indicates a false positive:
But I'd like to validate either way.