Exclude incorrectly reported CVE. This CVE only impacts Express.js ve…

…rsions below 3.21.1. The issue has been reported to Sonatype.
finos · Dec 3, 2024 · 2aa0a40 · 2aa0a40
1 parent 590689d
commit 2aa0a40
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/allow-list.json b/allow-list.json
@@ -3,6 +3,7 @@
         { "id": "sonatype-2012-0022", "reason": "ExpressJs has no intentions of fixing this `HTTP Splitting Attack`" },
         { "id": "CVE-2022-2596", "reason": "Typespec Compiler using node-fetch < 3.2.10" },
         { "id": "sonatype-2022-3677", "reason": "Node-fetch - Exposure of Sensitive Information to an Unauthorized Actor" },
-        { "id": "sonatype-2021-0078", "reason": "After scanning the code we found that we are not using the impacted Express.js functions" }
+        { "id": "sonatype-2021-0078", "reason": "After scanning the code we found that we are not using the impacted Express.js functions" },
+        { "id": "CVE-2024-10491", "reason": "This CVE only impacts Express.js up to version 3.12.1 but the Sonatype database incorrectly stamps every version." }
     ]
 }