Closed devdevx closed 1 week ago
Npm Coordinates
npm -i ejs@3.1.10
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #6921
]]></notes>
<packageUrl regex="true">^pkg:npm/ejs@.*$</packageUrl>
<cpe>cpe:/a:ejs:ejs</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/10556924250
The vulnerability is reported as such by OSSINDEX for this specific version of ejs [1]. So either OSSINDEX researchers have deemed the fix insufficient, or the OSSINDEX has incorrect data, in which case you would have to take this up with OSSINDEX. DependencyCheck merely reports that OSSINDEX deems ejs 3.1.10 affected.
[1] https://ossindex.sonatype.org/component/pkg:npm/ejs@3.1.10
Package URl
pkg:npm/ejs@3.1.10
CPE
cpe:2.3:a:ejs:ejs:3.1.10:::::::*
CVE
CVE-2023-29827
ODC Integration
None
ODC Version
latest
Description
Actual vulnerable component is ejs version 3.1.9