Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scorecard Tool, via OSV, Reports These CVEs In This Project #222

Open
jspeed-meyers opened this issue Nov 13, 2024 · 1 comment
Open

Scorecard Tool, via OSV, Reports These CVEs In This Project #222

jspeed-meyers opened this issue Nov 13, 2024 · 1 comment
Labels
question Further information is requested security

Comments

@jspeed-meyers
Copy link
Collaborator 

score is 4: 6 existing vulnerabilities detected:
Warn: Project is vulnerable to: CVE-2022-48174
Warn: Project is vulnerable to: CVE-2023-42363
Warn: Project is vulnerable to: CVE-2023-42364
Warn: Project is vulnerable to: CVE-2023-42365
Warn: Project is vulnerable to: CVE-2023-42366
Warn: Project is vulnerable to: GHSA-269g-pwp5-87pp
Click Remediation section below to solve this issue

What's going on? I need to investigate. Thoughts welcome.
@jspeed-meyers jspeed-meyers added security question Further information is requested labels Nov 13, 2024
@goneall
Copy link
Member

goneall commented Nov 13, 2024

I haven't used the OSV plugin myself - for the Java repos, I've used a dependency check plugin for Maven before each release.

About half the time, it is a false positive which I can configure to ignore. In other cases, it's just updating dependencies - but the dependencies in this project are pretty current.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@goneall @jspeed-meyers