Is there a wrong message about "Microsoft.IdentityModel:7.0.0"?

[daxin09pp]

Dependency-check reported a CVE-2019-1006 problem with Microsoft.IdentityModel.dll in my code. I have upgraded this DLL to the latest version 7.0.0, but it is still reported the CVE-2019-1006. There is only a 7.0.0 version of this DLL on Nuget. The Nuget link in Microsoft's Advisory description also recommends upgrading to 7.0.0. Is this a false positive for dependency check? I use the latest version of dependency Check (7.1.1).

Thanks for your help!

[aikebah]

The result comes from OSSINDEX, so either OSSINDEX is listing it wrongly for version 7.0.0, or their research team has judged that 7.0.0 is only partially fixing the issue.

I would recommend registering/logging in with Sonatype OSSINDEX, use there search with the packageURL from the report and use the link in OSSINDEX to open an issue with them to try and get the source corrected

https://ossindex.sonatype.org/component/pkg:nuget/[email protected]

states that v7.0.0 is vulnerable according to them