Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Why aren't all CVEs reported?
See original GitHub issueIt seems only some CVEs are reported but not others, I’m not sure if there’s a severity threshold under which vulnerabilities are ignored.
- it should be made clear, in the project’s readme at least, what the scope of this analysis is, i.e. what’s vulnerability criteria are used to flag a vulnerable dependency,
- if there’s indeed a threshold, then, it should be made user configurable, and different vulns could be reported with different diagnostic severities (warning, info for lower severities)
Examples of ignored vulns in pom.xml:
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi</artifactId>
<version>3.16</version> <!-- https://www.cvedetails.com/cve/CVE-2017-12626/ -->
</dependency>
<dependency>
<groupId>org.springframework.amqp</groupId>
<artifactId>spring-amqp</artifactId>
<version>1.4.4.RELEASE</version><!-- https://www.cvedetails.com/cve/CVE-2016-2173/ -->
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>3.2.3.RELEASE</version> <!-- https://www.cvedetails.com/cve/CVE-2013-7315/ -->
</dependency>
All those dependencies are flagged as critically vulnerable in https://search.maven.org/
Issue Analytics
- State:
- Created 5 years ago
- Comments:20 (6 by maintainers)
Top Results From Across the Web
Why cloud bugs don't get CVEs, and why it's an issue
There is currently no CVE system that tracks and discloses security bugs in cloud services, and experts say it's a problem.
Read more >CVE Data Is Often Misinterpreted: Here's What to Look For
When versions aren't correctly reported, you're left with two options: Either you consider every CVE that might affect your product and end ......
Read more >CVE-IDs and why at least 6000 vulnerabilities don't have one
A new investigation suggests that up to 6,000 software vulnerabilities lack CVE-IDs. In a rather long article in CSO, Steve Ragan explains ...
Read more >Why the Full Vulnerability Intelligence Picture Depends on ...
All a CVE ID indicates is that the issue has been reported to MITRE. Although it may seem that an assignment would only...
Read more >The most talked about CVEs for Q4 2021 (that aren't Log4j)
Cyber vulnerabilities are going nowhere. Here are just three of the most talked about CVEs for Q4 2021 - together with how to...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Tested with both the Struts2 and the Jetty dependencies and they are now correctly reported as vulnerable:
We released a new version of the extension that now leverages Snyk Intel - a comprehensive commercial vulnerability database - for its analysis. Can you please update the extension and try it out?