frogbot
frogbot copied to clipboard
CVE severity reported in Frogbot pull request does not match the GHSA
Describe the bug
On Nov 21, 2023 the Frogbot has created a pull request for one of our Java repositories.
The pull request states that the severity of the impacted depedency io.netty:netty-handler 4.1.100.Final
is high
.
The GHSA link given in Frogbots pull request shows severity moderate
(5.3/10). The last update to this GHSA was on Nov 10, 2023 according to the timeline at the bottom of the GHSA page. So the last change to the GHSA was roughly 11 days before our PR was created with severity high
.
Screenshot of the pull request:
Screenshot of the GHSA:
Current behavior
Frogbot pull request gets created with a severity that is not matching the GHSA severity, eventhough the GHSA is linked in the pull request.
Reproduction steps
No response
Expected behavior
I would have expected the severity to be shown as "moderate", like in the referenced GHSA
JFrog Frogbot version
2.19.2
Package manager info
pom.xml
Git provider
GitHub
JFrog Frogbot configuration yaml file
No response
Operating system type and version
Ubuntu 22
JFrog Xray version
No response