Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

False Positive on chrome-trace-event (recognized as chrome)

See original GitHub issue

In v6.0.0 the chrome-trace-event npm dependency is recognized as chrome and consequently lists around 1800 vulnerabilities.

<package confidence="HIGHEST">
	<id>pkg:npm/chrome-trace-event@1.0.2</id>
	<url>https://ossindex.sonatype.org/component/pkg:npm/chrome-trace-event@1.0.2</url>
</package>
<vulnerabilityIds confidence="HIGHEST">
	<id>cpe:2.3:a:google:chrome:1.0.2:*:*:*:*:*:*:*</id>
	<url>https://nvd.nist.gov/vuln/search/results?form_type=Advanced&amp;results_type=overview&amp;search_type=all&amp;cpe_vendor=cpe%3A%2F%3Agoogle&amp;cpe_product=cpe%3A%2F%3Agoogle%3Achrome&amp;cpe_version=cpe%3A%2F%3Agoogle%3Achrome%3A1.0.2</url>
</vulnerabilityIds>

large snippet

<dependency isVirtual="false">
	<fileName>chrome-trace-event:1.0.2</fileName>
	<filePath>/var/lib/jenkins/workspace/tenance-portal_-_metrics_develop/frontend/node_modules/chrome-trace-event/package.json</filePath>
	<md5>256dfd254581408e7c2618555984d069</md5>
	<sha1>34d76c71777a13b2323941c48ae76d7c66093bce</sha1>
	<sha256>521d76b7a8eee2278b2dcfa026d11e2444a2a186367dbe9b1e96a3be6fe132ce</sha256>
	<description>A library to create a trace of your node app per Google&apos;s Trace Event format.</description>
	<license>MIT</license>
	<projectReferences>
		<projectReference>Maintenance-portal:0.1.0</projectReference>
	</projectReferences>
	<evidenceCollected>
		<evidence type="vendor" confidence="HIGHEST">
			<source>package.json</source>
			<name>author</name>
			<value>Trent Mick, Sam Saccone</value>
		</evidence>
		<evidence type="vendor" confidence="HIGHEST">
			<source>package.json</source>
			<name>name</name>
			<value>chrome-trace-event</value>
		</evidence>
		<evidence type="vendor" confidence="HIGHEST">
			<source>package.json</source>
			<name>name</name>
			<value>chrome-trace-event_project</value>
		</evidence>
		<evidence type="vendor" confidence="HIGHEST">
			<source>package.json</source>
			<name>description</name>
			<value>A library to create a trace of your node app per Google&apos;s Trace Event format.</value>
		</evidence>
		<evidence type="product" confidence="HIGHEST">
			<source>package.json</source>
			<name>name</name>
			<value>chrome-trace-event</value>
		</evidence>
		<evidence type="version" confidence="HIGHEST">
			<source>package.json</source>
			<name>version</name>
			<value>1.0.2</value>
		</evidence>
	</evidenceCollected>
	<identifiers>
		<package confidence="HIGHEST">
			<id>pkg:npm/chrome-trace-event@1.0.2</id>
			<url>https://ossindex.sonatype.org/component/pkg:npm/chrome-trace-event@1.0.2</url>
		</package>
		<vulnerabilityIds confidence="HIGHEST">
			<id>cpe:2.3:a:google:chrome:1.0.2:*:*:*:*:*:*:*</id>
			<url>https://nvd.nist.gov/vuln/search/results?form_type=Advanced&amp;results_type=overview&amp;search_type=all&amp;cpe_vendor=cpe%3A%2F%3Agoogle&amp;cpe_product=cpe%3A%2F%3Agoogle%3Achrome&amp;cpe_version=cpe%3A%2F%3Agoogle%3Achrome%3A1.0.2</url>
		</vulnerabilityIds>
	</identifiers>
	<vulnerabilities>
		<vulnerability source="NVD">
			<name>CVE-2005-4900</name>

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
jeremylongcommented, Sep 22, 2020

@jykae I always recommend folks RTM:

TL;DR - If you look at the HTML report - there is a suppress button that you can use to build a suppression.xml file.

0reactions
namloc2001commented, Nov 26, 2020

Likewise, we are using 6.0.2 and still seeing it.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Chrome blocking software / false positive - Google Groups
After a lot of struggle and research, i found out that somehow the files started to be flagged as malware by some anti-virus,...
Read more >
Understanding about:tracing results - The Chromium Projects
A nice feature of about:tracing is that anytime chrome is running a message, ... frames can be identified by the "CCThreadProxy::beginFrame" trace event, ......
Read more >
Address false positives/negatives in Microsoft Defender for ...
A false negative is an entity that wasn't detected as a threat, even though it actually is malicious. False positives/negatives can occur with ......
Read more >
Sophos Intercept X: Why am I seeing a Lockdown exploit ...
Whenever an exploit is detected by Sophos Intercept X or Exploit Prevention, an alert is raised in the Windows Event Viewer logs as...
Read more >
Troubleshoot Chrome crashes - Google Support
You might see this error when a particular webpage or set of pages cause a problem. To fix the problem, select the webpages...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Plugin is failing to download Metadata file

Next page

False Positive on muliple libraries as cpe:2.3:a:json_project:json