djschleen
commented
1 week ago We'll take a look!
Open ppeters0502 opened 1 week ago
djschleen
commented
1 week ago We'll take a look!
ivanb-blip
commented
2 days ago I'm facing a similar issue where for unspecified (latest) dependency versions bomber picks up vulnerabilities over a range of older versions.
Example for Pandas with GitPython
Hello there, We use bomber pretty extensively when reviewing open source packages and other software that are in my company's environment. I was reviewing the open source package eslint downloaded the SPDX SBOM from GitHub and ran a Bomber scan of that SBOM. The Bomber report displayed several vulnerabilities, including 5 Critical vulnerabilities that I started reviewing. One of these vulnerabilities was tied to the dependency eslint-scope, but is specific to version 3.7.2, with a patch deployed in version 3.7.3.
the version of eslint-scope in the SBOM, and listed in the package.json file of this project is 8.0.1 though, and I'm not really sure why this vulnerability still came up for this dependency.
Are package versions checked when bomber gets an OSV or other vulnerability DB result back?