dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

False positive on pandas 1.3.3 - CVE-2020-13091

Open bahrb opened this issue 3 years ago • 1 comments

Current Behavior:

Using pandas in version 1.3.3 raised CVE-2020-13091 which was fixed beyond 1.0.3 (found by the OSS index analyzer)

Steps to Reproduce:

Use the attached prepared bom to reproduce the issue. Create a new project with the frontend and upload the bom file. reproduce-bom.xml.zip

Expected Behavior:

CVE-2020-13091 will not be raised by the tracker due to pandas 1.3.3.

Environment:

  • Dependency-Track Version: 4.5.0
  • Distribution: Docker
  • BOM Format & Version: XML 1.4 (produced with anchore syft 0.47.0 on docker)
  • Database Server: PostgreSQL
  • Browser: Firefox 100.0.2

bahrb avatar Jun 13 '22 13:06 bahrb

Hi @bahrb, false positives raised by an external source is not something we can do anything about. For OSS Index, please file your correction in this repo: https://github.com/OSSIndex/vulns

nscuro avatar Jun 13 '22 18:06 nscuro