[FP]: ejs 3.1.10 for CVE-2023-29827

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.3k stars 1.26k forks source link

[FP]: ejs 3.1.10 for CVE-2023-29827 #6921

Closed devdevx closed 1 week ago

devdevx commented 2 weeks ago

Package URl

pkg:npm/ejs@3.1.10

CPE

cpe:2.3:a:ejs:ejs:3.1.10:::::::*

CVE

CVE-2023-29827

ODC Integration

None

ODC Version

latest

Description

Actual vulnerable component is ejs version 3.1.9

github-actions[bot] commented 2 weeks ago

Npm Coordinates

npm -i ejs@3.1.10

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6921
   ]]></notes>
   <packageUrl regex="true">^pkg:npm/ejs@.*$</packageUrl>
   <cpe>cpe:/a:ejs:ejs</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10556924250

aikebah commented 2 weeks ago

The vulnerability is reported as such by OSSINDEX for this specific version of ejs [1]. So either OSSINDEX researchers have deemed the fix insufficient, or the OSSINDEX has incorrect data, in which case you would have to take this up with OSSINDEX. DependencyCheck merely reports that OSSINDEX deems ejs 3.1.10 affected.

[1] https://ossindex.sonatype.org/component/pkg:npm/ejs@3.1.10