Skip to content

OWASP Dependency Scan on cve-2024-38816 and cve-2024-38819 #7471

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
blueberry80 opened this issue Feb 25, 2025 · 2 comments
Open

OWASP Dependency Scan on cve-2024-38816 and cve-2024-38819 #7471

blueberry80 opened this issue Feb 25, 2025 · 2 comments
Labels
question

Comments

@blueberry80
Copy link

Hi everyone,
Need your advice.

I have heard that the OWASP Dependency Check Scan is not able to detect cve-2024-38816 and cve-2024-38819 out. Can I check whether is it false alarm? I am using the latest OWASP library to do my scanning. Is the latest library include these 2 CVEs detection?

Thank you.
@blueberry80 blueberry80 changed the title OWASP Scan on cve-2024-38816 and cve-2024-38819 OWASP Dependency Scan on cve-2024-38816 and cve-2024-38819 Feb 25, 2025
@jeremylong
Copy link
Collaborator

We use the NVD as the source of data:

Both of these are awaiting analysis at the NVD. Once complete then ODC should be able to detect them

@aikebah
Copy link
Collaborator

aikebah commented Mar 1, 2025

They should already be reported, assuming you have OSSIndexAnalyzer enabled. cve-2024-38819 will in that case only be reported for versions that have the fix for cve-2024-38816 but are lacking that of cve-2024-38819 - Sonatype OSSIndex seems to treat it as a follow-up issue that it only flags on versions that have the fix for cve-2024-38816

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jeremylong @aikebah @blueberry80