Scorecard Tool, via OSV, Reports These CVEs In This Project #222

jspeed-meyers · 2024-11-13T22:35:58Z

score is 4: 6 existing vulnerabilities detected:
Warn: Project is vulnerable to: CVE-2022-48174
Warn: Project is vulnerable to: CVE-2023-42363
Warn: Project is vulnerable to: CVE-2023-42364
Warn: Project is vulnerable to: CVE-2023-42365
Warn: Project is vulnerable to: CVE-2023-42366
Warn: Project is vulnerable to: GHSA-269g-pwp5-87pp
Click Remediation section below to solve this issue

What's going on? I need to investigate. Thoughts welcome.

The text was updated successfully, but these errors were encountered:

goneall · 2024-11-13T23:52:36Z

I haven't used the OSV plugin myself - for the Java repos, I've used a dependency check plugin for Maven before each release.

About half the time, it is a false positive which I can configure to ignore. In other cases, it's just updating dependencies - but the dependencies in this project are pretty current.

bact · 2024-11-28T09:29:08Z

https://github.com/spdx/ntia-conformance-checker/blob/main/.github/workflows/python-publish.yml use v3 of actions/checkout which may use an outdated version of npm.

jspeed-meyers added security question Further information is requested labels Nov 13, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Scorecard Tool, via OSV, Reports These CVEs In This Project #222

Scorecard Tool, via OSV, Reports These CVEs In This Project #222

jspeed-meyers commented Nov 13, 2024

goneall commented Nov 13, 2024

bact commented Nov 28, 2024

Scorecard Tool, via OSV, Reports These CVEs In This Project #222

Scorecard Tool, via OSV, Reports These CVEs In This Project #222

Comments

jspeed-meyers commented Nov 13, 2024

goneall commented Nov 13, 2024

bact commented Nov 28, 2024