You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Our DependencyTrack instance is currently reporting Microsoft.Data.SqlClient version 5.2.0 as vulnerable for CVE-2024-0056. According to the CVE that vulnerability only exists in versions 2.1.7, 3.1.5, 4.0.5 and 5.1.3, but not 5.2. I've asked the maintainers of this package what the regular procedure is and whether the CVE needs updating, but according to them that is not how it is supposed to work which makes sense since that would create a maintenance hell. See dotnet/SqlClient#2391 for reference.
Steps to Reproduce
Upload the attached BOM to DependencyTrack bom.json
DependencyTrack shows the project as being vulnerable for CVE-2024-0056
Expected Behavior
I would expect DependencyTrack to not show version 5.2.0 of Microsoft.Data.SqlClient as being vulnerable
Current Behavior
Our DependencyTrack instance is currently reporting Microsoft.Data.SqlClient version 5.2.0 as vulnerable for CVE-2024-0056. According to the CVE that vulnerability only exists in versions 2.1.7, 3.1.5, 4.0.5 and 5.1.3, but not 5.2. I've asked the maintainers of this package what the regular procedure is and whether the CVE needs updating, but according to them that is not how it is supposed to work which makes sense since that would create a maintenance hell. See dotnet/SqlClient#2391 for reference.
Steps to Reproduce
Expected Behavior
I would expect DependencyTrack to not show version 5.2.0 of Microsoft.Data.SqlClient as being vulnerable
Dependency-Track Version
4.10.1
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Google Chrome
Checklist
The text was updated successfully, but these errors were encountered: