Hi @dean-houston,
thank you for the explanation. I understand, that you don't want to risk the implementation for these special version numbers.
On dealing with these false positives, it would be great to ignore a vulnerability just for a specific version, therefore fixing just the version mismatch, rather than deactivating the vulnerability globally.
But I'll gladly wait for ProGet 2026 and check out the changes done to the CV management.
Best regards
Hi,
for Versions, that have a string suffix, like "2.3.23.Final" the vulnerability matching doesn't work. Most probably the root cause is the failing sort. Regarding the improper sort, see attached screenshot.
Example regarding vulnerability matching:
PGV: https://security.inedo.com/vulnerability/details/PGV-2314320
io.undertow:undertow-core ≥ 2.3.0 & < 2.3.5.Final, < 2.2.24.Final
but even versions > 2.3.5.Final are still marked with severe (like the 2.3.23.Final).
Best regards