Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
How to change affected version range in Vulnerablity Assessment?
-
Hello
Is there a way to change the range of affected package versions in a vulnerability assessment? Background: for the nuget package
bootstrapthe vulnerabilityCVE-2024-6531is assessed for a wide range of versions, namely4.5.3, 5.2.3, 3.0.0, 3.3.7, 4.6.1, 3.3.0, 3.4.1, 5.3.3, 3.3.2, 5.3.2, 4.3.1(see screenshot). But the versions5.3.2and5.3.3are not affected by this vulnerability. I would like to exclude these versions, but don't know how?
We use ProGet Basic in the Version 2023.18 (Build 15).
Thank you for any feedback.
-
Hi @itadmin_9894 ,
It's not possible to edit vulnerability records, as they are updated/source from outside of your ProGet software.
You're also using an older version of ProGet that sources data from OSS Index. That database is generally unreliable and outdated, so if you're concerned about vulnerabilities you should definitely upgrade:
https://docs.inedo.com/docs/proget/installation/proget-old-versions-migration/proget-compliance-ossindexIt looks like the similar/equivalent is here:
https://security.inedo.com/vulnerability/details/PGV-245118TCheers,
Alana
-
Hi @atripp ,
Thank you for your quick reply. We will try your suggested approach and migrate from OSS Index to ProGet's Vulnerability Database. We will also update our server installation.
There are other libraries with the same issue, so your statement regarding the reliability of OSS Index as a data source seems to be accurate.
Best regards
