[FP]: Nuget packages with Redis in name is marked as vulnerable #4321
Labels
Comments
|
For what it's worth we're getting issues on this as a client library, for example: StackExchange/StackExchange.Redis#2358 I'm not sure how this tool gets data it's depending on, but could we please update the Redis definitions? If that's upstream, just need a pointer of where to look. |
|
Any news from DependencyCheck? |
|
Also hitting this issue with ODC for the Python redis library, and there are even more FPs now. CPE CVE ODC Version |
jsch-adt
added a commit
to jsch-adt/DependencyCheck
that referenced
this issue
Feb 27, 2024
|
@jeremylong I created a PR to address this ticket - is there anything else I need to do to submit for review? Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Package URl
pkg:generic/Microsoft.Extensions.Caching.StackExchangeRedis@6.0.1
pkg:generic/HealthChecks.Redis@5.0.2
CPE
cpe:2.3:a:redis:redis:5.0.2:::::::*
cpe:2.3:a:microsoft:.net_core:6.0.1:::::::*
cpe:2.3:a:microsoft:exchange:6.0.1:::::::*
cpe:2.3:a:redis:redis:6.0.1:::::::*
CVE
CVE-2021-32626
CVE-2021-32627
CVE-2021-32628
CVE-2021-32675
CVE-2021-32687
CVE-2021-32762
CVE-2021-41099
ODC Integration
{"label"=>"CLI"}
ODC Version
Description
It looks like that all Nuget packages with "Redis" in name and with the version similar to a version number used in Redis server are marked with vulnerabilities found in Redis Server.
The text was updated successfully, but these errors were encountered: