-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request to publish new version #560
Comments
|
Based on the answer from Dependency Check's support team, they suggest to release a new version from |
A new release is not what I suggested, though it would solve the false positive that occurs right now. |
@aikebah Would you share your point of view regarding what other options are available as a solution? Could you elaborate it more? |
The regular way for open source projects in case of a false positive (something that is almost unavoidable due to how ODC links software to CPEs which are the key to 'known vulnerabilities' with the NIST NVD data) is to file a 'False-positive Report' type issue with the project, which typically leads to a suppression added into the scanner after a triage of the report. For python they typically take a bit longer to process as one of the maintainers needs to build and test the suppression. Other language ecosystems have an automatic suppression generation that allows a low-effort triage and approval by one of the project maintainers to be automatically added by the automation to the suppressions. So the recommended course of action is to open your dependencycheck report (to be able to copy some values over that are asked for in the false positive report) and use the information within to open a new issue of type 'False Positive report' in the DependencyCheck project. With the information requested in that form the DependencyCheck we would be able to create an appropriate rule within the hosted suppressions file so that the autohooks plugin is no longer detected as black itself (while still checking the transitive black dependency (which is already at a fixed version as you indicated in your question ticket) |
@aikebah Based on your feedback, I created this False Positive report: jeremylong/DependencyCheck#6570 Please note that I could not find the CPE value, this way I wrote there |
Dependency check reported CVE-2024-21503 in
black
, this way it is suggested to update to use version24.3.0
.I see the update already was made on the
main
branch thanks to dependabot.I would like to request a new release from this package, because there is a need for the vulnerability fix in our project.
The text was updated successfully, but these errors were encountered: