New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Ghost" package should not be reported as a fix for vulnerability #1650

Open

TG1999 opened this issue Nov 12, 2024 · 0 comments · May be fixed by #1679

Assignees

Labels

3-next Priority: high

Milestone

v36.0.0 - 3-next

Contributor

TG1999 commented Nov 12, 2024

https://public.vulnerablecode.io/packages/pkg:maven/log4j/[email protected]?search=maven/log4j

Reports https://public.vulnerablecode.io/packages/pkg%3Amaven/log4j/log4j%402.17.0?search=pkg:maven/log4j/[email protected] as the latest non vulnerable version of log4j. But this is a ghost package. We should not report ghost package as fix/non vulnerable for anything.

TG1999 added the 2-next label

TG1999 assigned keshav-space

TG1999 modified the milestones: v35.0.0 - 2-next, v36.0.0 - 3-next

keshav-space linked a pull request

that will close this issue

Do not report ghost package as a fix for vulnerability #1679

Open

TG1999 added 3-next Priority: high and removed 2-next labels

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment