search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.35k stars 1.27k forks source link

[FP]: `CVE-2020-22475` for pkg:generic/Nito.AsyncEx.Tasks@5.1.2 #4106

Open Marvin-Brouwer opened 2 years ago

Marvin-Brouwer commented 2 years ago

Package URl

pkg:generic/Nito.AsyncEx.Tasks@5.1.2

CPE

cpe:2.3\:a:tasks:tasks:5.1.2:*:*:*:*:*:*:*

CVE

CVE-2020-22475

ODC Integration

No response

ODC Version

6.5.3

Description

I've seen this one come up in a couple of versions of this library now so I filed a report with the author: https://github.com/StephenCleary/AsyncEx/issues/251

It appears DependencyCheck is looking for a "Tasks" application which has a bug fixed in 9.7.3. However this NuGet is Nito.AsyncEx.Tasks so it's matching on the wrong name.

lonevvolf commented 2 years ago

The same issue is happening for us with different source libraries:

NETStandard.Library.2.0.0.nupkg:
System.Threading.Tasks.dll

System.Threading.Tasks.4.3.0.nupkg:
System.Threading.Tasks.dll

System.Threading.Tasks.4.3.0.nupkg:
System.Threading.Tasks.dll

System.Threading.Tasks.Extensions.4.5.4.nupkg: System.Threading.Tasks.Extensions.dll System.Threading.Tasks.Extensions:4.5.4 System.Threading.Tasks:4.3.0