New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2020-24356 does not match correctly #1084
Comments
What is the raw OSV data for this vulnerability? |
This warning might also be helpful.
|
Raw data is here: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-hgwp-4vp4-qmm2/GHSA-hgwp-4vp4-qmm2.json And especially as that repo accepts Pull Requests, it sounds like it would be better to raise this issue there. |
Looks like the original Renovate issue was deleted, reproduction repository: https://github.com/uhthomas/renovate20706 |
Thanks @rarkins. I'll open another issue there. |
Both Renovate and GitHub's Dependabot match the version of https://github.com/cloudflare/cloudflared incorrectly. The CVE claims that any versions which match
>=2020.8.1
should be fine to use, but warnings are incorrectly raised for versions newer than this.Originally raised as https://github.com/renovatebot/renovate/issues/20706.
As mentioned in the above issue, I believe this may be due to how OSV and other tools matches against versions. The project in question uses a versioning scheme
<year>.<month>.<minor>
whereas the version in a Go module is written asv0.0.0-20230302084805-4c3417fedda9
.The text was updated successfully, but these errors were encountered: