-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FP]: autohooks-plugin-black
is detected as black
, however they have transitive dependency
#6570
Comments
Error parsing package url: https://pypi.org/project/autohooks-plugin-black/. Error: Error: purl is missing the required "pkg" scheme component. Please correct the package URL - consider copying the package url from the HTML report. |
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8612043435 |
autohooks-plugin-black
is detected as black
, but they have transitive dependencyautohooks-plugin-black
is detected as black
, however they have transitive dependency
Error parsing package url: https://pypi.org/project/autohooks-plugin-black/. Error: Error: purl is missing the required "pkg" scheme component. Please correct the package URL - consider copying the package url from the HTML report. |
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8612071108 |
Error parsing package url: https://pypi.org/project/autohooks-plugin-black/. Error: Error: purl is missing the required "pkg" scheme component. Please correct the package URL - consider copying the package url from the HTML report. |
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8612099202 |
Error parsing package url: https://pypi.org/project/autohooks-plugin-black/. Error: Error: purl is missing the required "pkg" scheme component. Please correct the package URL - consider copying the package url from the HTML report. |
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8612107239 |
This issue report triggered 7 workflow errors: https://github.com/jeremylong/DependencyCheck/actions/runs/8612107239 |
Our project uses ODC through Jenkins Plugin: https://plugins.jenkins.io/dependency-check-jenkins-plugin/ |
@vmatyusGitHub The workflow errors are because you copied a website URL for the package, rather that a packageURL for the packageURL field. The packageUrl will start with pkg: and can be found on the dependencyCheck report outputted by your scan. Same holds for the CPE |
Package URl
https://pypi.org/project/autohooks-plugin-black/
CPE
Unknown
CVE
CVE-2024-21503
ODC Integration
{"label"=>"CLI"}
ODC Version
8.4.2
Description
Dependency check reported CVE-2024-21503 in black, this way it is suggested to update to use version 24.3.0.
I made the update in the project, but dependency checker still reports a problem with black:23.10.0:
File Path /home/*/dependencies/site-packages/autohooks/plugins/black/__init__.py
I suspect because
autohooks-plugin-black = ">=23.10.0"
in use.See package details in this comment: greenbone/autohooks#650 (comment)
I reported the issue to the project provider: greenbone/autohooks#650, but he is also confused why is this package vulnerable.
Turned out ODC sees
autohooks-plugin-black
as ablack
image. But they are two separate and transitive image. See comment here.The text was updated successfully, but these errors were encountered: