Flutter packages (pub) get vulnerability from npm
evyaroshevich opened this issue · comments
Current Behavior
While scanning the Flutter project, I discovered a false positive. DependencyTrack incorrectly identified the package pkg:pub/build@2.4.1 as belonging to the npm repository and issued the vulnerability CVE-2020-28423. Upon visiting the NIST NVD website to view the details, I found that it has cpe:2.3:a:monorepo-build_project:monorepo-build::::::node.js::*. Although in the actual bom file, the cpe is absent altogether.
Steps to Reproduce
- git clone any flutter project with pub/build@2.4.1
- generate bom file
- upload bom file to dependencytrack server
Expected Behavior
the vulnerability should not appear on this component
Dependency-Track Version
4.11.0-SNAPSHOT
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Google Chrome
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this defect was already reported