CVE-2020-15250 doesn't affect versions prior to 4.7 but claims it did #1676
Comments
|
Thanks for raising the issue! You're right, of course. @JLLeitschuh I changed it here but that doesn't seem to update the published advisory. Do you know how that can be achieved? |
|
I'll send an email |
|
Many thanks @marcphilipp and @JLLeitschuh . The advisory has been updated. |
|
Sorry to bother here, but it seems that the given CVE is still recognised by OSSINDEX for version 4.13.1, see https://ossindex.sonatype.org/component/pkg:maven/junit/junit@4.13.1 |
|
I raised OSSIndex/vulns#127 to get it fixed. |
This was referenced Jun 27, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
GHSA-269g-pwp5-87pp says it affects any version prior to 4.13.1 which is not true as rules didn't exist before 4.7. So the proper range would be 4.7 up to 4.13.
This is probably not terribly important but it caused dependabot to cry wolf on projects that are (deliberately) still using older versions - like extensions for JUnit 3 that happen to be still maintained. The same is/will soon be true for a bunch of other static code analyzers checking oldish code bases.
The text was updated successfully, but these errors were encountered: