DependencyCheck
DependencyCheck copied to clipboard
jeremylong
[FP]: lodash: 4.17.21 identified as vulnerable multiple cve's
Package URl
https://ossindex.sonatype.org/component/pkg:npm/lodash@0px
CPE
pkg:javascript/lodash@0px
CVE
CVE-2019-10744 CVE-2021-23337 CVE-2018-3721 CVE-2019-1010266 CVE-2018-16487 CVE-2020-28500
ODC Integration
{"label"=>"CLI"}
ODC Version
9.0.9
Description
Versions of lodash lower than 4.17.12 have the following cve's: CVE-2019-10744 CVE-2021-23337 CVE-2018-3721 CVE-2019-1010266 CVE-2018-16487 CVE-2020-28500
But they are also flagged for lodash: 4.17.21
Error parsing package url: https://ossindex.sonatype.org/component/pkg:npm/lodash@0px.
Error: Error: purl is missing the required "pkg" scheme component.
Please correct the package URL - consider copying the package url from the HTML report.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/7612404195
https://ossindex.sonatype.org/component/pkg:javascript/lodash@0px?utm_source=dependency-check&utm_medium=integration&utm_content=9.0.9
I tried the following:
- Start in an empty repository
- Run npm i [email protected]
- Run /path/to/dependencycheck/bin/dependency-check.sh -s .
But fail to reproduce. Based on the URL towards OSSIndex that you quote you suffer from a mangled lodash package that gets identified as lodash version 0px.
My run properly shows lodash as lodash v4.17.21 and surfaces no FPs
