dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

False positive for CVE-2024-43485 with dotnet 9 or 9.x.x packages

Open pregress opened this issue 11 months ago • 7 comments

Current Behavior

CVE-2024-43485 is being flagged as vulnerability but dotnet 9 or packages with >=8.0.10 are not affected according to dt.

Image

Image

Steps to Reproduce

  1. Create a csproj for dotnet 9
  2. Reference System.Text.Json 9.0.1
  3. Create sbom
  4. Import sbom in dt
  5. false positive for CVE-2024-43485

Expected Behavior

  1. Create a csproj for dotnet 9
  2. Reference System.Text.Json 9.0.1
  3. Create sbom
  4. Import sbom in dt
  5. No false positive

Dependency-Track Version

4.12.2

Dependency-Track Distribution

Container Image

Database Server

H2

Database Server Version

No response

Browser

Google Chrome

Checklist

pregress avatar Jan 21 '25 09:01 pregress

I keep having to suppress this over and over again, it goes away for projects for a while, and then pops back up again at some random interval.

horros avatar Mar 13 '25 09:03 horros

Having the same problem. Will this be fixed soon?

josundt avatar Apr 07 '25 10:04 josundt

When will this be addressed?

filipw avatar May 28 '25 11:05 filipw

Hi @pregress, do you have OSS Index analyzer enabled? I see that problem seems to be due to OSS Index: https://ossindex.sonatype.org/component/pkg:nuget/System.Text.Json I contacted them to request correction.

antoinbo avatar Jun 03 '25 09:06 antoinbo

@antoinbo

When you contacted OSS Index and requested a correction; did you make the request through a GitHub issue or similar? If your correction request is publicly available, it would be nice if you could provide a link so that we can monitor the status of the case.

josundt avatar Jun 03 '25 11:06 josundt

Hi @pregress, do you have OSS Index analyzer enabled? I see that problem seems to be due to OSS Index: https://ossindex.sonatype.org/component/pkg:nuget/System.Text.Json I contacted them to request correction.

Don't know, we stopped using dependency track.

pregress avatar Jun 03 '25 11:06 pregress

@josundt I contacted via the 💬 Report advisory or correction link, asking to:

Missing or Incorrect Advisory

To report an advisory missing from OSS Index, or a correction to an existing report, please email us at ✉️ [email protected].

So I will keep you informed here.

antoinbo avatar Jun 04 '25 09:06 antoinbo

Same here! Any news?

Willimaendu avatar Aug 14 '25 17:08 Willimaendu

Hi @Willimaendu, I was in contact with them, they asked for recommended corrections. No update since. I sent them a reminder today.

antoinbo avatar Aug 27 '25 09:08 antoinbo

Any news here?

pvarshney123 avatar Sep 16 '25 17:09 pvarshney123

No, so my next step will be to check what it detects, as it appears to only report false positives.

antoinbo avatar Sep 20 '25 13:09 antoinbo