Open aarongoldenthal opened 2 years ago
False positive on npm package glob-parent@5.1.2 (pkg:npm/glob-parent@5.1.2) incorrectly reported as cpe:2.3:a:*:glob-parent:\\<5.1.2.
pkg:npm/glob-parent@5.1.2
cpe:2.3:a:*:glob-parent:\\<5.1.2
{ "isVirtual": true, "fileName": "glob-parent:5.1.2", "filePath": "\/app\/package-lock.json?glob-parent", "projectReferences": [ "pa11y-ci-reporter-html: transitive" ], "evidenceCollected": { "vendorEvidence": [ { "type": "vendor", "confidence": "HIGH", "source": "package.json", "name": "name", "value": "glob-parent" } ], "productEvidence": [ { "type": "product", "confidence": "HIGHEST", "source": "package.json", "name": "name", "value": "glob-parent" } ], "versionEvidence": [ { "type": "version", "confidence": "HIGHEST", "source": "package.json", "name": "version", "value": "5.1.2" } ] }, "packages": [ { "id": "pkg:npm\/glob-parent@5.1.2", "confidence": "HIGHEST", "url": "https:\/\/ossindex.sonatype.org\/component\/pkg:npm\/glob-parent@5.1.2?utm_source=dependency-check&utm_medium=integration&utm_content=6.3.1" } ], "vulnerabilities": [ { "source": "NPM", "name": "1751", "unscored": "true", "severity": "moderate", "cwes": [], "description": "`glob-parent` before 5.1.2 has a regular expression denial of service vulnerability. The enclosure regex used to check for strings ending in enclosure containing path separator.", "notes": "", "references": [ { "source": "Advisory 1751: Regular expression denial of service", "name": "- [CVE](https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-28469)\n- [GitHub Advisory](https:\/\/github.com\/advisories\/GHSA-ww39-953v-wcq6)\n" } ], "vulnerableSoftware": [ { "software": { "id": "cpe:2.3:a:*:glob-parent:\\<5.1.2:*:*:*:*:*:*:*" } } ] } ] },
Now reported as NPM-1002627
And now also reported as NPM-1005154
And now also reported for glob-parent v6.0.2, which is reported as cpe:2.3:a:*:glob-parent:\\<5.1.2:*:*:*:*:*:*:*.
glob-parent
cpe:2.3:a:*:glob-parent:\\<5.1.2:*:*:*:*:*:*:*
False positive on npm package glob-parent@5.1.2 (
pkg:npm/glob-parent@5.1.2
) incorrectly reported ascpe:2.3:a:*:glob-parent:\\<5.1.2
.