DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

Is there a false positive in commons-discovery.js?

Open t3xtm0d3 opened this issue 3 years ago • 1 comments

We have found that the DependencyCheck reported that one of the packages contains a vulnerability with CVE-2022-0869. The CVE involves a python-based forum named 'Spirit' which is vulnerable to an Open Redirect vulnerability. By the way, the tool reported that the package commons-discovery.js was vulnerable to the stated CVE. I think the two packages are not related. Could you please help check the findings?

1 2

t3xtm0d3 avatar Jul 05 '22 08:07 t3xtm0d3

While this is a false positive I would not recommend depending on the library. The library is in the dormant section of apache commons. https://commons.apache.org/dormant.html https://commons.apache.org/dormant/commons-discovery/index.html

On top of that your version is 3 minor revisions behind their latest release.

aikebah avatar Jul 06 '22 20:07 aikebah