jQuery.Validation sonatype-2022-3016 already fixed in 1.19.4

Question

jQuery.Validation sonatype-2022-3016 already fixed in 1.19.4

Closed this issue 2 years ago · 2 comments

To facilitate future automation, please use the following format

Advisory details

  URL: [<Advisory URL>](https://ossindex.sonatype.org/vulnerability/sonatype-2022-3016?component-type=nuget&component-name=jQuery.Validation)
  format: nuget
  namespace: <maven groupid, npm scope, etc.>
  name: jQuery.Validation
  versions: 1.19.4 is patched, but failing still showing as vulnerable

More information
Any additional information that might be useful/interesting

Answer 1 · 2022-07-12T17:40:33.000Z

Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

Answer 2 · 2022-08-23T17:29:03.000Z

Sonatype Deep Dive research determined that the Nuget format is still vulnerable to this issue due to the presence of the jquery.validate-vsdoc.js file that contains the vulnerable regex.

We will be updating OSS Index to better report when and why we deviate from the CVE