-
-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False-Positive: CVE-2020-14343 #281
Comments
VDB version compare is incorrectly saying that 6.0.1 is within 3.01 and 5.4b2. Will work on a fix this weekend.
|
Fixed with vdb 5.6.6. PR to bump depscan is coming.
|
dep-scan-feature-use-vdbxz/depscan$ python3 cli.py --no-banner --purl "pkg:pypi/PyYAML@6.0.1" --reports-dir temp_test --no-suggest ╭─────────────────── Risk Audit Capability ───────────────────╮ │ Depscan supports OSS Risk audit for this project. │ │ To enable set the environment variable ENABLE_OSS_RISK=true │ ╰─────────────────────────────────────────────────────────────╯ INFO [2024-04-01 10:10:29,707] Performing regular scan for dep-scan-feature-use-vdbxz/depscan using plugin pypi Dependency Scan Results (PYPI) ╔═══════════════════════╤═════════════════════╤═════════════╤══════════╤═══════╗ ║ CVE │ Insights │ Fix Version │ Severity │ Score ║ ╟───────────────────────┼─────────────────────┼─────────────┼──────────┼───────╢ ║ pyyaml@6.0.1 ⬅ │ 🧾 Vendor Confirmed │ │ LOW │ 2.0 ║ ║ CVE-2020-14343 │ │ │ │ ║ ╟───────────────────────┼─────────────────────┼─────────────┼──────────┼───────╢ ║ pyyaml@6.0.1 ⬅ │ 🧾 Vendor Confirmed │ │ LOW │ 2.0 ║ ║ CVE-2017-18342 │ │ │ │ ║ ╚═══════════════════════╧═════════════════════╧═════════════╧══════════╧═══════╝ ╭────────────── Recommendation ───────────────╮ │ ✅ No package requires immediate attention. │ ╰─────────────────────────────────────────────╯ |
@almaz045 could you uninstall any existing depscan or set PYTHONPATH to the cloned directory? |
I've deleted depscan binary file from path: depscan bash: /home/user/.local/bin/depscan: No such file or directory I've added PYTHONPATH to feature-branch export PYTHONPATH="/home/user/Desktop/Programs/dep-scan-feature-use-vdbxz:$PYTHONPATH" ~/Desktop/Programs/dep-scan-feature-use-vdbxz$ python3 depscan/cli.py --no-banner --purl "pkg:pypi/PyYAML@6.0.1" --reports-dir temp_test --no-suggest ╭─────────────────── Risk Audit Capability ───────────────────╮ │ Depscan supports OSS Risk audit for this project. │ │ To enable set the environment variable ENABLE_OSS_RISK=true │ ╰─────────────────────────────────────────────────────────────╯ INFO [2024-04-01 17:55:25,318] Performing regular scan for /home/user/Desktop/Programs/dep-scan-feature-use-vdbxz using plugin pypi Dependency Scan Results (PYPI) ╔═══════════════════════╤═════════════════════╤═════════════╤══════════╤═══════╗ ║ CVE │ Insights │ Fix Version │ Severity │ Score ║ ╟───────────────────────┼─────────────────────┼─────────────┼──────────┼───────╢ ║ pyyaml@6.0.1 ⬅ │ 🧾 Vendor Confirmed │ │ LOW │ 2.0 ║ ║ CVE-2017-18342 │ │ │ │ ║ ╟───────────────────────┼─────────────────────┼─────────────┼──────────┼───────╢ ║ pyyaml@6.0.1 ⬅ │ 🧾 Vendor Confirmed │ │ LOW │ 2.0 ║ ║ CVE-2020-14343 │ │ │ │ ║ ╚═══════════════════════╧═════════════════════╧═════════════╧══════════╧═══════╝ ╭────────────── Recommendation ───────────────╮ │ ✅ No package requires immediate attention. │ ╰─────────────────────────────────────────────╯ |
@almaz045 can you also do?
|
@prabhu $ pip uninstall appthreat-vulnerability-db Found existing installation: appthreat-vulnerability-db 5.6.4 Uninstalling appthreat-vulnerability-db-5.6.4: pip install -e . python3 depscan/cli.py --no-banner --purl "pkg:pypi/PyYAML@6.0.1" --reports-dir temp_test --no-suggest ╭─────────────────── Risk Audit Capability ───────────────────╮ │ Depscan supports OSS Risk audit for this project. │ │ To enable set the environment variable ENABLE_OSS_RISK=true │ ╰─────────────────────────────────────────────────────────────╯ INFO [2024-04-01 19:00:14,048] Performing regular scan for /home/user/Desktop/Programs/dep-scan-feature-use-vdbxz using plugin pypi INFO [2024-04-01 19:00:14,052] No oss vulnerabilities detected ✅ Thanks! |
PURL of wrongly matched component
pkg:pypi/PyYAML@6.0.1
Depscan findings
The text was updated successfully, but these errors were encountered: