We had a vulnerable dependency affecting versions `< 9.4.54` and patched it with `9.4.54.v20240208`. The CVE is declared in the Maven ecosystem, and while this version is correct according to Maven's rules [^1], it does not satisfy the predicate according to SemVer [^2], and the vulnerability scan continues to fire.
[^1]: https://maven.apache.org/ref/3.9.9/maven-artifact/apidocs/org/apache/maven/artifact/versioning/ComparableVersion.html
[^2] : https://semver.org/#spec-item-11
#GitHubSecurity #SemVer
Ross A. Baker /
npub1cz…nkryv
2024-10-17 14:42:22
Author Public Key
npub1czpkpsxezx7c4q200yddahd26uv8uamw7acal93f8zer5qsf4jhqrnkryvPublished at
2024-10-17 14:42:22Event JSON
{
"id": "b97823699366d7a5583b47b7c5de15b1166234e99e50e335d33ab6243116ce9e",
"pubkey": "c08360c0d911bd8a814f791adeddaad7187e776ef771df962938b23a0209acae",
"created_at": 1729176142,
"kind": 1,
"tags": [
[
"t",
"githubsecurity"
],
[
"t",
"semver"
],
[
"content-warning",
"GitHub Security and too many ways to sort versions"
],
[
"proxy",
"https://social.rossabaker.com/users/ross/statuses/113323287703435025",
"activitypub"
]
],
"content": "We had a vulnerable dependency affecting versions `\u003c 9.4.54` and patched it with `9.4.54.v20240208`. The CVE is declared in the Maven ecosystem, and while this version is correct according to Maven's rules [^1], it does not satisfy the predicate according to SemVer [^2], and the vulnerability scan continues to fire.\n\n[^1]: https://maven.apache.org/ref/3.9.9/maven-artifact/apidocs/org/apache/maven/artifact/versioning/ComparableVersion.html\n[^2] : https://semver.org/#spec-item-11\n\n#GitHubSecurity #SemVer",
"sig": "9ad069b2ffda5ef6de2945adbfe32f12035279a37adc6d2273862421527b4d2e126040fe7859b504fb92af94ca3b74288f31b0943a3dc16375d237fb225cba52"
}