False positives for security fixes part of .NET 8.0.10 #7693
Replies: 1 comment 1 reply
-
|
Hello @raoganeshr
Can you update trivy-db?
same.
Do you mean |
Beta Was this translation helpful? Give feedback.
-
|
No. I meant even though the CVE advisory mentioned that its fixed in .NET 8.0.10, the nuget packages dont follow that versioning. I believe the updated GitHub Advisory has the correct versions for the fixed components. I will proceed with updating the trivy database. Thanks for your help. |
Beta Was this translation helpful? Give feedback.
-
IDs
CVE-2024-43485, CVE-2024-43483
Description
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485 & https://avd.aquasec.com/nvd/2024/cve-2024-43483 are fixed in .net 8.0.10. However the nuget packages for the associated fixes are not numbered as 8.0.10. Hence even after upgrading to the patched versions, we are unable to fix the trivy findings. Trivy database needs to be updated to correct the fixed package versions for these two nuget packages.
System.Text.Json (CVE-2024-43485)
GHSA-8g4q-xg66-9fp4 - Has correct version
https://www.nuget.org/packages/system.text.json/
System.Runtime.Caching (CVE-2024-43483)
GHSA-qj66-m88j-hmgj - Has correct version
https://www.nuget.org/packages/System.Runtime.Caching/9.0.0-rc.2.24473.5
Reproduction Steps
Target
Filesystem
Scanner
Vulnerability
Target OS
No response
Debug Output
Version
Checklist
-f jsonthat shows data sources and confirmed that the security advisory in data sources was correctBeta Was this translation helpful? Give feedback.
All reactions