From f62e5a836eebeaf22eb25fdd53f7e96ac65e309f Mon Sep 17 00:00:00 2001 From: Dan Lorenc Date: Sun, 18 Feb 2024 11:00:55 -0500 Subject: [PATCH] Nack CVE-2023-42282 in npm and related packages. The CVE description says it's only in versions prior to 1.1.8 but the CPE is incorrect, causing this to be flagged incorrectly. Signed-off-by: Dan Lorenc --- lerna.advisories.yaml | 5 +++++ node-gyp.advisories.yaml | 5 +++++ npm.advisories.yaml | 5 +++++ pnpm-stage0.advisories.yaml | 5 +++++ renovate.advisories.yaml | 5 +++++ sqlpad.advisories.yaml | 5 +++++ 6 files changed, 30 insertions(+) diff --git a/lerna.advisories.yaml b/lerna.advisories.yaml index bb0d0f8e9..713d622b9 100644 --- a/lerna.advisories.yaml +++ b/lerna.advisories.yaml @@ -29,3 +29,8 @@ advisories: componentType: npm componentLocation: /usr/local/lib/node_modules/lerna/node_modules/ip/package.json scanner: grype + - timestamp: 2024-02-18T15:59:08Z + type: false-positive-determination + data: + type: vulnerable-code-version-not-used + note: The vulnerability is only present in versions of ip before v1.1.8, but we have version 2.0.0. The metadata is wrong in the NVD. diff --git a/node-gyp.advisories.yaml b/node-gyp.advisories.yaml index 96c6cb209..ce05f4c6d 100644 --- a/node-gyp.advisories.yaml +++ b/node-gyp.advisories.yaml @@ -20,3 +20,8 @@ advisories: componentType: npm componentLocation: /usr/lib/node_modules/node-gyp/node_modules/ip/package.json scanner: grype + - timestamp: 2024-02-18T15:59:30Z + type: false-positive-determination + data: + type: vulnerable-code-version-not-used + note: The vulnerability is only present in versions of ip before v1.1.8, but we have version 2.0.0. The metadata is wrong in the NVD. diff --git a/npm.advisories.yaml b/npm.advisories.yaml index a7c08c199..e0b35b3dd 100644 --- a/npm.advisories.yaml +++ b/npm.advisories.yaml @@ -24,3 +24,8 @@ advisories: type: pending-upstream-fix data: note: Upstream fixes are actively being attempted, such as in https://github.com/indutny/node-ip/pull/138, and once a solution is accepted we should incorporate that into this package. + - timestamp: 2024-02-18T15:58:43Z + type: false-positive-determination + data: + type: vulnerable-code-version-not-used + note: The vulnerability is only present in versions of ip before v1.1.8, but we have version 2.0.0. The metadata is wrong in the NVD. diff --git a/pnpm-stage0.advisories.yaml b/pnpm-stage0.advisories.yaml index 8a677bfaf..8bc18e2c4 100644 --- a/pnpm-stage0.advisories.yaml +++ b/pnpm-stage0.advisories.yaml @@ -20,3 +20,8 @@ advisories: componentType: npm componentLocation: /usr/lib/node_modules/pnpm/dist/node_modules/ip/package.json scanner: grype + - timestamp: 2024-02-18T15:59:51Z + type: false-positive-determination + data: + type: vulnerable-code-version-not-used + note: The vulnerability is only present in versions of ip before v1.1.8, but we have version 2.0.0. The metadata is wrong in the NVD. diff --git a/renovate.advisories.yaml b/renovate.advisories.yaml index d280e06d3..05ea7f876 100644 --- a/renovate.advisories.yaml +++ b/renovate.advisories.yaml @@ -24,3 +24,8 @@ advisories: type: fixed data: fixed-version: 37.186.1-r0 + - timestamp: 2024-02-18T16:00:09Z + type: false-positive-determination + data: + type: vulnerable-code-version-not-used + note: The vulnerability is only present in versions of ip before v1.1.8, but we have version 2.0.0. The metadata is wrong in the NVD. diff --git a/sqlpad.advisories.yaml b/sqlpad.advisories.yaml index 12cc9a995..d6275a561 100644 --- a/sqlpad.advisories.yaml +++ b/sqlpad.advisories.yaml @@ -20,3 +20,8 @@ advisories: componentType: npm componentLocation: /usr/bin/sqlpad-server/node_modules/ip/package.json scanner: grype + - timestamp: 2024-02-18T16:00:25Z + type: false-positive-determination + data: + type: vulnerable-code-version-not-used + note: The vulnerability is only present in versions of ip before v1.1.8, but we have version 2.0.0. The metadata is wrong in the NVD.