[FP]: npm loader-utils@1.4.1

[Felk]

Package URl

pkg:npm/loader-utils@1.4.1

CPE

cpe:2.3:a:webpack.js:loader-utils:1.4.1:::::::*

CVE

CVE-2022-37601

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

7.3.0

Description

CVE-2022-37601 was also fixed in loader-utils@1.4.1 via backport, as per webpack/loader-utils#218 and https://github.com/webpack/loader-utils/releases/tag/v1.4.1

[github-actions]

Npm Coordinates

npm -i loader-utils@1.4.1

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #5044
   ]]></notes>
   <packageUrl regex="true">^pkg:npm/loader-utils@.*$</packageUrl>
   <cpe>cpe:/a:webpack.js:loader-utils</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/3437067363

[aikebah]

@Felk This was due to the vulnerability data at the NIST NVD datastreams. It has been updated meanwhile (at 11/17/2022 9:14:18 AM), but in future you can directly reach out to them using the "[Are we missing a CPE here? Please let us know]" link of the NVD page of the vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2022-37601)

[Felk]

ah, good to know thanks!