False-Positive: Receiving findings for lodash@4.17.21

[harshit-kochar]

PURL of wrongly matched component

pkg:npm/lodash@4.17.21

Depscan findings

Receiving {"id": "CVE-2019-1010266", "package": "npm:lodash", "purl": "pkg:npm/lodash@4.17.21", "package_type": "npm", "package_usage": "required", "version": "4.17.21", "fix_version": "4.17.11", "severity": "MEDIUM", "cvss_score": "5.0", "short_description": "# Regular Expression Denial of Service (ReDoS) in lodash\nlodash prior to 4.7.11 is affected by: CWE 400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.\nUpgrade to version 4.17.11 or later", "related_urls": [], "occurrence_count": 2192, "reachable_flows": 537}

Output:

[prabhu]

I am confused. It says no oss vulnerabilities in the screenshot. Is the bug that jsonlines report is incorrect?

[harshit-kochar]

You are correct @prabhu , I checked the html output and did not find this entry there.

[prabhu]

We have removed the jsonlines reporting format in v6. Will think of a way to bring back some kind of json export for such direct purl queries.

[harshit-kochar]

Thanks