CVE-2023-35116 not visible on component with jackson-databind 2.13.4.2

Open mzweem opened this issue 1 year ago • 0 comments

Current Behavior

We have uploaded an SBOM with jackson-databind 2.13.4.2 with the following identity information:

We noticed that CVE-2023-35116 is not visible in the vulnerabilities tab of Dependency Track:

According to the CPE information the CVE is applicable to Up to (excluding) 2.16.0.

The project is active, it does detect other vulnerabilities on other components in the same project but not CVE-2023-35116. We do have another SBOM uploaded which contains jackson-databind 2.15.2 where the CVE issue is detected.

Steps to Reproduce

Upload SBOM with sbom_test.json
No vulnerabilities are matched to this component, meanwhile we would expect CVE-2023-35116

Expected Behavior

1 reported vulnerability to the jackson-databind component (i.e. CVE-2023-35116)

Dependency-Track Version

4.11.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

N/A

Checklist

[X] I have read and understand the contributing guidelines
[X] I have checked the existing issues for whether this defect was already reported

May 28 '24 12:05 mzweem