Skip to content
This repository has been archived by the owner on Jan 19, 2023. It is now read-only.

Bug: node-canvas Incorrect vulnerability details #326

Open
vladmandic opened this issue Sep 7, 2022 · 1 comment
Open

Bug: node-canvas Incorrect vulnerability details #326

vladmandic opened this issue Sep 7, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@vladmandic
Copy link

Vulnerability URL
https://ossindex.sonatype.org/vulnerability/sonatype-2019-0142

Description

pkg:npm/canvas@2.10.0 - 1 vulnerability found!

  Vulnerability Title:  1 vulnerability found
  ID:  sonatype-2019-0142
  Description:  1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this information using your registered account
  CVSS Score:  8.6
  CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
  Reference:  https://ossindex.sonatype.org/vulnerability/sonatype-2019-0142

however, this vulnerability was fixed long time ago - it clearly states that it only impacts versions 1.6.9 and below and here vulnerability is reported for version 2.10.0!

see for fix confirmation GHSA-vpq5-4rc8-c222

this seems to be a NEW false-positive as it was not reported for recent versions, so there may be a semver compare mismatch on ossindex side?

@vladmandic vladmandic added the bug Something isn't working label Sep 7, 2022
@vladmandic vladmandic changed the title Bug: <https://ossindex.sonatype.org/vulnerability/sonatype-2019-0142> Incorrect vulnerability details Bug: node-canvas Incorrect vulnerability details Sep 21, 2022
@ken-duck
Copy link
Contributor

Sorry for the delay.

Thank you for your report. We are migrating to a new email-based reporting system in order to better mesh with our internal processes, which will allow us to be more reactive to our users. I have moved your request to the internal tracking system and the research team will look into the issue shortly.

If you notice further issues or would like to follow up on this one, please email ossindex@sonatype.org

# for free to subscribe to this conversation on GitHub. Already have an account? #.
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants