Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

ACC 3.2.1's output is not sufficient

See original GitHub issue

Hi,

is there no specific CVE for Apache commons collection 3.2.1?

I only get CVE-2015-6420 (reads like Cisco only) and CVE-2017-15708 (reads like Apache Synapse) only. I also wasn’t able to find anything else except CVE-2015-7501 which sounds like JBoss / Oracle only.

This can indicate to the user that there’s no problem using this library which sounds like a bug to me.

Wouldn’t it make sense for this renowned vulnerability at least to add something which doesn’t come from the feed?

Thanks, Dirk

PS: Dependency-Check Core version 5.2.3-SNAPSHOT

Issue Analytics

State:
Created 4 years ago
Comments:8 (8 by maintainers)

Top GitHub Comments

2reactions

jeremylongcommented, Oct 30, 2019

Yes I am pushing the responsibility of the data to another location. When I originally designed dependency-check one of the key tenets was that the project was not going to maintain a database mapping dependencies to CPE/CVE. We’ve gotten away from that a little with our hints and suppression files. Maintenance of an enhanced data-set is one of the things you will get with commercial offerings.

This project is 100% free, I do not make any money at all on this project - I am not a consultant, nor do I use this project at my day job. By creating an enhanced data-feed it adds an additional maintenance burden on the project that I feel is unacceptable.

Any updates to an enhanced data-feed would only benefit this project. However, if one were to contact the NVD suggesting updates to a vulnerability (I have and you can too - email them at nvd@nist.gov) you then benefit everyone that uses the NVD data including other OWASP projects like dependency-track.

1reaction

drwettercommented, Oct 29, 2019

Why should I? As said the perception of the user matters and I am a user of this tool and it doesn’t show me anything related which seems dangerous.

PS: yes, I read the Apache blog.

Top Results From Across the Web

OpenACC Programming and Best Practices Guide

This guide presents methods and best practices for accelerating applications in an incremental, performance portable way. Although some of the examples may ...

2020 ACC/AHA Guideline for the Management of Patients ...

Recording aortic valve hemodynamics with exercise is of limited value and does not show additive value for predicting clinical outcome when ...

Cisco IOS Configuration Fundamentals Command Reference

A large amount of output can be generated by this command, which may easily exceed buffer or system memory on smaller platforms. Also,...

VMware NSX-T Data Center 3.2 Release Notes

NSX-T native Load Balancer - Load balancing features would not be added or enhanced going ... LogicalPort GET API output in NSX-T 3.2...

The role of input and output tasks in grammar instruction - ERIC

Swain has pointed out that comprehensible input might not be sufficient to de- velop native-like grammatical competence and learners also need comprehensi-.