Merge pull request #1205 from AttilaMihaly/report-invalid-exposed-module

Report invalid exposed modules
finos · Dec 13, 2024 · 853dc0e · 853dc0e
2 parents c936db7 + 52a6b1d
commit 853dc0e
Show file tree

Hide file tree

Showing 7 changed files with 147 additions and 526 deletions.
diff --git a/allow-list.json b/allow-list.json
@@ -3,6 +3,7 @@
         { "id": "sonatype-2012-0022", "reason": "ExpressJs has no intentions of fixing this `HTTP Splitting Attack`" },
         { "id": "CVE-2022-2596", "reason": "Typespec Compiler using node-fetch < 3.2.10" },
         { "id": "sonatype-2022-3677", "reason": "Node-fetch - Exposure of Sensitive Information to an Unauthorized Actor" },
-        { "id": "sonatype-2021-0078", "reason": "After scanning the code we found that we are not using the impacted Express.js functions" }
+        { "id": "sonatype-2021-0078", "reason": "After scanning the code we found that we are not using the impacted Express.js functions" },
+        { "id": "CVE-2024-10491", "reason": "This CVE only impacts Express.js up to version 3.12.1 but the Sonatype database incorrectly stamps every version." }
     ]
 }