failure checking when handled jar file #3148
Comments
|
I want this tool can check vulnerability of jsoup with 1.9.2 in database, how can I achieve this purpose? |
|
@firefive4u The tool will check for vulnerabilities in a jar file. The tool correctly identifies the product but because there is no vendor associated with the vulnerability it is unable to detect the vulnerabilities. This is a limitation of the tool. ╭───────────────────────────────────────────────╮ To handle the case where the product vendor is not known, we are planning to support package URLs (PURL) e.g. pkg:maven/org.jsoup/[email protected] for products identified within an SBOM. |
|
I think any solution we make for #3152 might be generalizable to handle mappings for jar files better too. I think the solution for that will need some sort of lookup table that people could add to with vendor mappings for common products (we have these mappings for binary findings, but not yet for pom.xml findings). Not sure if we'll get to that before the planned PURL support, but it's another approach for improvement. As a workaround in the meantime, you could maybe use a multi-step process:
I know, probably not the most satisfying. But that will work right now while we sort out how to do better. |
|
@firefive4u Once merged, #3150 will find vulnerabilities in JSOUP 1.9.2
|
|
thanks all for your responses, glad to hear that. |
When I used it to test with jsoup-1.9.2.jar, no CVE found, no product found. Not sure what happened, there was pom.xml in jar. Could you help on it?
The text was updated successfully, but these errors were encountered: