Incorrect vulnerability details for cytoscape (npm)

Question

Incorrect vulnerability details for cytoscape (npm)

Closed this issue 2 years ago · 2 comments

Vulnerability URL
https://ossindex.sonatype.org/vulnerability/sonatype-2021-0541

Component URL
https://ossindex.sonatype.org/component/pkg:npm/cytoscape

Description
First of all, the referenced vulnerability (https://www.huntr.dev/bounties/1-npm-cytoscape/) is inaccessible:

This report is not public

Secondly, the vulnerability type (CWE-1321) mentioned appears to be fixed in v3.21.0, but the latest versions (v3.21.1) still get reported as vulnerable by OSSIndex. The fix is in cytoscape/cytoscape.js#2959, released as part of v3.21.0 (see cytoscape/cytoscape.js@v3.20.2...v3.21.0).

Answer 1 · 2022-07-12T16:45:10.000Z

Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

Answer 2 · 2022-08-23T18:37:40.000Z

Fix proof: https://ossindex.sonatype.org/component/pkg:npm/cytoscape@3.21.0