Incorrect vulnerability details

[martin-traverse]

Vulnerability URL

https://ossindex.sonatype.org/vulnerability/CVE-2022-25878?component-type=npm&component-name=protobufjs

Component URL

https://ossindex.sonatype.org/component/pkg:npm/protobufjs@6.11.3?utm_source=dependency-check&utm_medium=integration&utm_content=7.1.1

Description

This issue is fixed in protobufjsl 6.11.3, from 6.11.2. The vulnerability explicitly states so, and there is a commit here:

protobufjs/protobuf.js#1731

However, component version 6.11.3 is still flagged as having this vulnerability, and there is not yet a later version available.

Please can the component be updated so version 6.11.3 does not report this vulnerability? Alternatively, if there is still an issue, we'd need to update the vulnerability and report it to the package maintainer.

Hope this makes sense, apologies if I've missed something!

[ken-duck]

Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

[ken-duck]

I just heard back. We have additional information from the researchers on this issue:

The Sonatype security research team discovered that the fix for this vulnerability was actually introduced in source files instead of distribution files. The fix should be fully released on the 6.12.0 version. Reference. Also, we discovered that this vulnerability was introduced in version 6.10.0-beta.1 and therefore does not affect all versions prior to version 6.11.3 as stated by the advisory.

We are working on a feature to surface researcher comments when appropriate.

[martin-traverse]

Thanks for the update, much appreciated. I see protobufjs have now released a new major version as well:

https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.0.0