search

rm-hull / nvd-clojure

National Vulnerability Database dependency checker for Clojure projects
MIT License
273 stars 35 forks source link

nvd-clojure incorrectly flags core.async with a CVE #141

Closed kelvinqian00 closed 2 years ago

kelvinqian00 commented 2 years ago

Since around April 13, nvd-clojure reports the following CVE:

+------------------------+----------------+
| dependency             | status         |
+------------------------+----------------+
| core.async-1.5.648.jar | CVE-2021-43138 |
+------------------------+----------------+

corresponding to CVE-2021-43138. However, upon further investigation, this CVE had nothing to do with core.async at all. Instead, it is/was associated with a completely separate JavaScript library: https://github.com/caolan/async, which core.async does not even have as a dependency. (Closed PR regarding the issue: https://github.com/caolan/async/pull/1828)

This error was reproduced on nvd-clojure versions 1.9.0 and 2.5.0 on both MacOS and Ubuntu via GitHub Actions.

vemv commented 2 years ago

Duplicated https://github.com/rm-hull/nvd-clojure/issues/140#issuecomment-1102808761

Sorry about the false positive, I'll try to ping the DependencyCheck team in case they can improve something.