search

owasp-dep-scan / dep-scan

OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
https://owasp.org/www-project-dep-scan/
MIT License
1.02k stars 98 forks source link

False-Positive: Receiving findings for lodash@4.17.21 #353

Open harshit-kochar opened 1 month ago

harshit-kochar commented 1 month ago

PURL of wrongly matched component

pkg:npm/lodash@4.17.21

Depscan findings

Receiving {"id": "CVE-2019-1010266", "package": "npm:lodash", "purl": "pkg:npm/lodash@4.17.21", "package_type": "npm", "package_usage": "required", "version": "4.17.21", "fix_version": "4.17.11", "severity": "MEDIUM", "cvss_score": "5.0", "short_description": "# Regular Expression Denial of Service (ReDoS) in lodash\nlodash prior to 4.7.11 is affected by: CWE 400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.\nUpgrade to version 4.17.11 or later", "related_urls": [], "occurrence_count": 2192, "reachable_flows": 537}

Output: image

prabhu commented 1 month ago

I am confused. It says no oss vulnerabilities in the screenshot. Is the bug that jsonlines report is incorrect?

harshit-kochar commented 1 month ago

You are correct @prabhu , I checked the html output and did not find this entry there.

prabhu commented 1 month ago

We have removed the jsonlines reporting format in v6. Will think of a way to bring back some kind of json export for such direct purl queries.

harshit-kochar commented 1 month ago

Thanks