Closed bodewig closed 4 years ago
marcphilipp
commented
4 years ago Thanks for raising the issue! You're right, of course.
@jlleitschuh I changed it here but that doesn't seem to update the published advisory. Do you know how that can be achieved?
JLLeitschuh
commented
4 years ago I'll send an email
bodewig
commented
4 years ago Many thanks @marcphilipp and @JLLeitschuh . The advisory has been updated.
gamma
commented
4 years ago Sorry to bother here, but it seems that the given CVE is still recognised by OSSINDEX for version 4.13.1, see https://ossindex.sonatype.org/component/pkg:maven/junit/junit@4.13.1
marcphilipp
commented
4 years ago I raised https://github.com/OSSIndex/vulns/issues/127 to get it fixed.
https://github.com/advisories/GHSA-269g-pwp5-87pp says it affects any version prior to 4.13.1 which is not true as rules didn't exist before 4.7. So the proper range would be 4.7 up to 4.13.
This is probably not terribly important but it caused dependabot to cry wolf on projects that are (deliberately) still using older versions - like extensions for JUnit 3 that happen to be still maintained. The same is/will soon be true for a bunch of other static code analyzers checking oldish code bases.