[FP]: python prometheus_client popping CVE for prometheus server

[jsch-adt]

Package URl

pkg:pypi/prometheus-client@0.20.0

CPE

cpe:2.3:a:prometheus:prometheus:0.20.0:*:*:*:*:*:*:*

CVE

CVE-2019-3826

ODC Integration

{"label"=>"CLI"}

ODC Version

9.0.8

Description

CVE is for the Prometheus server, while prometheus_client is a python library.

[Nitish1210]

Hello,
I was wondering if its possible to have an ETA for this issue to be fixed.
Its creating lot of false positive whenever there is a package which has prometheus in its name.
Thanks.
Really appreciate the work.

[jsch-adt]

@Nitish1210 which version are you on? I believe this was fixed https://github.com/jeremylong/DependencyCheck/blob/main/CHANGELOG.md#version-9010-2024-03-15

[Nitish1210]

@Nitish1210 which version are you on? I believe this was fixed https://github.com/jeremylong/DependencyCheck/blob/main/CHANGELOG.md#version-9010-2024-03-15

Then why this issue not closed yet?

[Nitish1210]

Also for me, the following package is causing the problem.

References:

Vulnerability CVE-2019-3826
Affected library: opentelemetry-prometheus-client-bridge-1.32.0-alpha.jar

[jsch-adt]

You would need to put in a PR for that specific CVE.

[Nitish1210]

You would need to put in a PR for that specific CVE.

@jsch-adt you mean, i need to create new issue in this repo for the package i am getting alerts?
aka this Affected library: opentelemetry-prometheus-client-bridge-1.32.0-alpha.jar

[jsch-adt]

Yes, added to the previous change for the other CVEs.