DependencyTrack
DepTrack flags vulnerabilities even though installed version number is unaffected
Current Behavior
My project had these two vulnerabilities flagged in Deptrack which impact Bootstrap versions 3.X and 4.X.
CVE-2024-6531 Affects Bootstrap in Bootstrap Versions >=4.0.0 <=4.6.2 https://www.herodevs.com/vulnerability-directory/cve-2024-6531?bootstrap-nes
CVE-2024-6484 Affects Bootstrap in Bootstrap Versions >=3.2.0 <=3.4.1 https://www.herodevs.com/vulnerability-directory/cve-2024-6484?bootstrap-nes
However, my project is on Bootstrap 5.3.0, which should NOT be affected. And yet, they are both being flagged in Deptrack:
Steps to Reproduce
- Add
"bootstrap": "5.3.0"as a project dependency in Deptrack. - Check for vulnerabilities.
- The two vulnerabilities above will be flagged despite us installing a version that is not affected.
Expected Behavior
I would expect DepTrack to NOT flags vulnerabilities of Bootstrap v3 and v4 when I am using Bootstrap v5.
Dependency-Track Version
4.13.2
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Mozilla Firefox
Checklist
- [x] I have read and understand the contributing guidelines
- [x] I have checked the existing issues for whether this defect was already reported
Hi kukwaa, OSS Index reports it as vulnerable, so the issue comes from Sonatype if you use it, do you?
Looking into this further, the culprit appears to be this oddity in the National Vulnerability Database? The second configuration has no version number restrictions. And apparently isn't specifically Bootstrap, either? I feel like DepTrack should be ignoring the second one?
https://nvd.nist.gov/vuln/detail/CVE-2024-6531
This seems to be a recurring theme with herodev vulnerabilities. Now it's CVE-2024-10491 where sonatype lists the vulnerability affecting 3.x (which is 10 years eol) to also affect 4.x and 5.x
