Giters

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

Home Page:https://dependencytrack.org/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Flutter packages (pub) get vulnerability from npm

evyaroshevich opened this issue · comments

commented

Current Behavior

While scanning the Flutter project, I discovered a false positive. DependencyTrack incorrectly identified the package pkg:pub/build@2.4.1 as belonging to the npm repository and issued the vulnerability CVE-2020-28423. Upon visiting the NIST NVD website to view the details, I found that it has cpe:2.3:a:monorepo-build_project:monorepo-build::::::node.js::*. Although in the actual bom file, the cpe is absent altogether.
image

Steps to Reproduce

  1. git clone any flutter project with pub/build@2.4.1
  2. generate bom file
  3. upload bom file to dependencytrack server

Expected Behavior

the vulnerability should not appear on this component

Dependency-Track Version

4.11.0-SNAPSHOT

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist