mrmans0n / compose-rules

Lint rules for ktlint/detekt aimed to contribute to a healthier usage of Compose. Actively maintained and evolved fork of the Twitter Compose rules.
https://mrmans0n.github.io/compose-rules
Other
561 stars 22 forks source link

NVD Strike in core-ktlint #192

Closed FloTank closed 9 months ago

FloTank commented 9 months ago

NVD is failing cause its confusing the core-ktlint package with the ktlint-core package of the 0.30.0 version of the pinterest ktlint library https://github.com/pinterest/ktlint/tree/0.30.0/ktlint-core

OWASP-Dependency-Check is striking your library cause of that.

This is the issue your Library is now being reference to: https://nvd.nist.gov/vuln/detail/CVE-2019-1010260

mrmans0n commented 9 months ago

Sadly, there is little we can do about this on our end realistically. Changing the name of coordinates isn't a proper solution, nor is bumping the project version.

This issue was known on the pre-forked library issues, so remember I left it open on purpose so it would serve as documentation for people that want to know how to suppress this false positive. https://github.com/twitter/compose-rules/issues/73

This is the suppression code that was referenced there:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress>
        <notes><![CDATA[
        Wrong detection of core-ktlint library, see: https://github.com/twitter/compose-rules/issues/73
        ]]></notes>
        <sha1>8b163196c50e68a62e3b5bb910a99e8415889654</sha1>
        <cve>CVE-2019-1010260</cve>
    </suppress>
    <suppress>
        <notes><![CDATA[
        Wrong detection of ktlint ruleset library, see: https://github.com/twitter/compose-rules/issues/73
        ]]></notes>
        <sha1>de64d1b35289d73edac35724941de3099193f782</sha1>
        <cve>CVE-2019-1010260</cve>
    </suppress>
</suppressions>