frogbot icon indicating copy to clipboard operation
frogbot copied to clipboard

Published 20 hours ago verified publisher icon jfrog

CVE severity reported in Frogbot pull request does not match the GHSA

Open juv opened this issue 7 months ago • 1 comments

Describe the bug

On Nov 21, 2023 the Frogbot has created a pull request for one of our Java repositories. The pull request states that the severity of the impacted depedency io.netty:netty-handler 4.1.100.Final is high. The GHSA link given in Frogbots pull request shows severity moderate (5.3/10). The last update to this GHSA was on Nov 10, 2023 according to the timeline at the bottom of the GHSA page. So the last change to the GHSA was roughly 11 days before our PR was created with severity high.

Screenshot of the pull request: image

Screenshot of the GHSA: image

Current behavior

Frogbot pull request gets created with a severity that is not matching the GHSA severity, eventhough the GHSA is linked in the pull request.

Reproduction steps

No response

Expected behavior

I would have expected the severity to be shown as "moderate", like in the referenced GHSA

JFrog Frogbot version

2.19.2

Package manager info

pom.xml

Git provider

GitHub

JFrog Frogbot configuration yaml file

No response

Operating system type and version

Ubuntu 22

JFrog Xray version

No response

juv avatar Nov 27 '23 11:11 juv