Explain why autohooks-plugin-black is marked as vulnerable

[vmatyus]

Dependency check reported CVE-2024-21503 in black, this way it is suggested to update to use version 24.3.0.

I made the update in the project, but dependency checker still reports a problem with black:23.10.0:
File Path /home/*/dependencies/site-packages/autohooks/plugins/black/__init__.py

I suspect because autohooks-plugin-black = ">=23.10.0" in use.
See package details in this comment: greenbone/autohooks#650 (comment)

I reported the issue to the project provider: greenbone/autohooks#650, but he is also confused why is this package vulnerable.

Could you please explain us why is this package is problematic?
What is the logic in the checker?

Considering we do not see this as a vulnerable point I added this alert as a false positive.

[vmatyus]

I had the opportunity to try out the execution with dependency-check 9.1.0 and the tool still reports the black auto-hook plugin as vulnerable.
Thank you for your help in advance.

[aikebah]

Due to how dependencycheck works your autohook plugin is seen as the black library itself. That plugin is at version 23.10.0.

See also http://jeremylong.github.io/DependencyCheck/general/suppression.html and the also there linked http://jeremylong.github.io/DependencyCheck/general/internals.html

[vmatyus]

Thank you for your help.
I've opened a request to release a new version from autohooks-plugin-black: greenbone/autohooks-plugin-black#560