False-Positive: CVE-2020-14343 #281
Assignees
Labels
false-positive
A wrongly identified vulnerability
Comments
|
VDB version compare is incorrectly saying that 6.0.1 is within 3.01 and 5.4b2. Will work on a fix this weekend. |
|
Fixed with vdb 5.6.6. PR to bump depscan is coming. |
dep-scan-feature-use-vdbxz/depscan$ python3 cli.py --no-banner --purl "pkg:pypi/PyYAML@6.0.1" --reports-dir temp_test --no-suggest
╭─────────────────── Risk Audit Capability ───────────────────╮
│ Depscan supports OSS Risk audit for this project. │
│ To enable set the environment variable ENABLE_OSS_RISK=true │
╰─────────────────────────────────────────────────────────────╯
INFO [2024-04-01 10:10:29,707] Performing regular scan for dep-scan-feature-use-vdbxz/depscan using plugin pypi
Dependency Scan Results (PYPI)
╔═══════════════════════╤═════════════════════╤═════════════╤══════════╤═══════╗
║ CVE │ Insights │ Fix Version │ Severity │ Score ║
╟───────────────────────┼─────────────────────┼─────────────┼──────────┼───────╢
║ pyyaml@6.0.1 ⬅ │ 🧾 Vendor Confirmed │ │ LOW │ 2.0 ║
║ CVE-2020-14343 │ │ │ │ ║
╟───────────────────────┼─────────────────────┼─────────────┼──────────┼───────╢
║ pyyaml@6.0.1 ⬅ │ 🧾 Vendor Confirmed │ │ LOW │ 2.0 ║
║ CVE-2017-18342 │ │ │ │ ║
╚═══════════════════════╧═════════════════════╧═════════════╧══════════╧═══════╝
╭────────────── Recommendation ───────────────╮
│ ✅ No package requires immediate attention. │
╰─────────────────────────────────────────────╯
|
|
@almaz045 could you uninstall any existing depscan or set PYTHONPATH to the cloned directory? |
I've deleted depscan binary file from path: depscan bash: /home/user/.local/bin/depscan: No such file or directory I've added PYTHONPATH to feature-branch export PYTHONPATH="/home/user/Desktop/Programs/dep-scan-feature-use-vdbxz:$PYTHONPATH" ~/Desktop/Programs/dep-scan-feature-use-vdbxz$ python3 depscan/cli.py --no-banner --purl "pkg:pypi/PyYAML@6.0.1" --reports-dir temp_test --no-suggest
╭─────────────────── Risk Audit Capability ───────────────────╮
│ Depscan supports OSS Risk audit for this project. │
│ To enable set the environment variable ENABLE_OSS_RISK=true │
╰─────────────────────────────────────────────────────────────╯
INFO [2024-04-01 17:55:25,318] Performing regular scan for /home/user/Desktop/Programs/dep-scan-feature-use-vdbxz using plugin pypi
Dependency Scan Results (PYPI)
╔═══════════════════════╤═════════════════════╤═════════════╤══════════╤═══════╗
║ CVE │ Insights │ Fix Version │ Severity │ Score ║
╟───────────────────────┼─────────────────────┼─────────────┼──────────┼───────╢
║ pyyaml@6.0.1 ⬅ │ 🧾 Vendor Confirmed │ │ LOW │ 2.0 ║
║ CVE-2017-18342 │ │ │ │ ║
╟───────────────────────┼─────────────────────┼─────────────┼──────────┼───────╢
║ pyyaml@6.0.1 ⬅ │ 🧾 Vendor Confirmed │ │ LOW │ 2.0 ║
║ CVE-2020-14343 │ │ │ │ ║
╚═══════════════════════╧═════════════════════╧═════════════╧══════════╧═══════╝
╭────────────── Recommendation ───────────────╮
│ ✅ No package requires immediate attention. │
╰─────────────────────────────────────────────╯
|
|
@almaz045 can you also do? |
|
@prabhu $ pip uninstall appthreat-vulnerability-db Found existing installation: appthreat-vulnerability-db 5.6.4 Uninstalling appthreat-vulnerability-db-5.6.4: pip install -e . python3 depscan/cli.py --no-banner --purl "pkg:pypi/PyYAML@6.0.1" --reports-dir temp_test --no-suggest ╭─────────────────── Risk Audit Capability ───────────────────╮ │ Depscan supports OSS Risk audit for this project. │ │ To enable set the environment variable ENABLE_OSS_RISK=true │ ╰─────────────────────────────────────────────────────────────╯ INFO [2024-04-01 19:00:14,048] Performing regular scan for /home/user/Desktop/Programs/dep-scan-feature-use-vdbxz using plugin pypi INFO [2024-04-01 19:00:14,052] No oss vulnerabilities detected ✅ Thanks! |
prabhu
added a commit
that referenced
this issue
Apr 1, 2024
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
PURL of wrongly matched component
pkg:pypi/PyYAML@6.0.1
Depscan findings
██████╗ ███████╗██████╗ ███████╗ ██████╗ █████╗ ███╗ ██╗ ██╔══██╗██╔════╝██╔══██╗██╔════╝██╔════╝██╔══██╗████╗ ██║ ██║ ██║█████╗ ██████╔╝███████╗██║ ███████║██╔██╗ ██║ ██║ ██║██╔══╝ ██╔═══╝ ╚════██║██║ ██╔══██║██║╚██╗██║ ██████╔╝███████╗██║ ███████║╚██████╗██║ ██║██║ ╚████║ ╚═════╝ ╚══════╝╚═╝ ╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═══╝ ╭─────────────────── Risk Audit Capability ───────────────────╮ │ Depscan supports OSS Risk audit for this project. │ │ To enable set the environment variable ENABLE_OSS_RISK=true │ ╰─────────────────────────────────────────────────────────────╯ INFO [2024-03-29 14:13:12,409] Performing regular scan for /PYTHON/django-DefectDojo-master using plugin pypi Dependency Scan Results (PYPI) ╔═══════════════════════╤═════════════════════╤═════════════╤══════════╤═══════╗ ║ CVE │ Insights │ Fix Version │ Severity │ Score ║ ╟───────────────────────┼─────────────────────┼─────────────┼──────────┼───────╢ ║ pyyaml@6.0.1 ⬅ │ 🧾 Vendor Confirmed │ │ LOW │ 2.0 ║ ║ CVE-2020-14343 │ │ │ │ ║ ╟───────────────────────┼─────────────────────┼─────────────┼──────────┼───────╢ ║ pyyaml@6.0.1 ⬅ │ 🧾 Vendor Confirmed │ │ LOW │ 2.0 ║ ║ CVE-2017-18342 │ │ │ │ ║ ╚═══════════════════════╧═════════════════════╧═════════════╧══════════╧═══════╝ ╭────────────── Recommendation ───────────────╮ │ ✅ No package requires immediate attention. │ ╰─────────────────────────────────────────────╯The text was updated successfully, but these errors were encountered: