Closed levinebw closed 1 week ago
Hi @levinebw, we have the affected product set to github.com/elastic/beats/v7
because, according to https://discuss.elastic.co/t/beats-and-elastic-agent-8-11-3-7-17-16-security-update-esa-2023-30/349180, github.com/elastic/beats
doesn't become vulnerable until version 7.0.0, which is the first version covered by github.com/elastic/beats/v7
. Changing the affected product to github.com/elastic/beats
but keeping the < 7.17.16
vulnerable version range would mean that users of non-vulnerable versions would inappropriately receive Dependabot alerts and users of vulnerable versions would fail to receive Dependabot alerts.
I hope I adequately explained why the affected product for the 7.x branch is set to github.com/elastic/beats/v7
and why we won't change the affected product for the 7.x branch to github.com/elastic/beats
. Please feel free to follow up if you have any questions, and have a great week!
Ok thanks @shelbyc, it appears that some scanners (Prisma, Trivy) are identifying non-vulnerable versions as vulnerable. I've submitted a seperate commit to correct the introduced
version which may be the reason,
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
- "introduced": "0"
+ "introduced": "7.0.0"
Hi @shelbyc please see the separate request to update the Affected versions for v7. Thanks!
Hi @levinebw! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!
@levinebw Thanks for following up and for your care and concern for accuracy! This ended up being a very interesting community contribution. I did a little more digging as part of this contribution and, as it turns out, you were correct to include github.com/elastic/beats
in addition to github.com/elastic/beats/v7
. I misread https://pkg.go.dev/github.com/elastic/beats/v7?tab=versions, which shows 7.7.0
as the first version on the v7
branch, not 7.0.0
. https://pkg.go.dev/github.com/elastic/beats?tab=versions has a version called [v7.0.0+incompatible](https://pkg.go.dev/github.com/elastic/beats@v7.0.0+incompatible)
. For the sake of completeness, I've included the vulnerable version range >= 7.0.0, < 7.17.16
for both github.com/elastic/beats/v7
and github.com/elastic/beats
.
Updates
Comments The affected product (package) is github.com/elastic/beats