False Positive: System.Data.SqlClient 4.8.5

[cmenzi]

Current Behavior

We get System.Data.SqlClient, 4.8.5 as vulnerability listed (CVE-2022-41064). But regarding MSFT this is the fixed version.

https://github.com/advisories/GHSA-8g2p-5pqh-5jmc

Package PURL: pkg:nuget/[email protected]

Steps to Reproduce

1. Create C# Project and add <PackageReference Include="System.Data.SqlClient" Version="4.8.5" />
2. Scan

Expected Behavior

Should not be listed as vulnerability

Dependency-Track Version

4.5.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this defect was already reported

[syalioune]

Hello @cmenzi

The difference lies with OSSIndex which report v4.8.5 as still vulnerable.

https://ossindex.sonatype.org/vulnerability/CVE-2022-41064

You can create an issue in OSSIndex repo if need be : https://github.com/OSSIndex/vulns

[cmenzi]

I've reported the issue and they telling me, I've to check deviation notice. It's because 4.8.5 is still vulnerable when somebody ist using netstandard1.3.

Not sure if this deviation notice could be processed somehow in dependency track?

[syalioune]

That deviation notice is not machine readable & processable by DT which only reports what OSSIndex tell. Only possibility for you, if you don't use netstandard 1.3, is to audit the vulnerability :

• [Manually audit the vulnerability] using the UI and even suppress it
• [Automatically audit the vulnerability] using a VEX. Some examples are given here. You can also refer to this discussion https://github.com/DependencyTrack/dependency-track/issues/1872#issuecomment-1254265425

[alsommer1]

Seems that issue is still exist: https://github.com/advisories/GHSA-98g6-xh36-x2p7