Think it had been done since the report seems to concern v8/v9, this is why from my window sonatype missed a data in their db and it triggers false positives for any recent tomcat build.
Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <https://rmannibucau.metawerx.net/> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book <https://www.packtpub.com/application-development/java-ee-8-high-performance> Le lun. 16 oct. 2023 à 14:30, Mark Thomas <ma...@apache.org> a écrit : > On 16/10/2023 13:11, Romain Manni-Bucau wrote: > > Hi all, > > > > It seems ossindex reports an invalid CVE for tomcat: > > > https://ossindex.sonatype.org/component/pkg:maven/org.apache.tomcat/tomcat-coyote@10.1.15 > > (https://ossindex.sonatype.org/vulnerability/CVE-2023-42794) > > > > Am I right assuming it is due to the way coordinates are entered in their > > system more than an actual issue or did I miss something? > > Should we send a mail to ossin...@sonatype.org to get it fixed? > > It isn't clear to me what Sonatype think the problem is. I have no > interest in creating an account to find out. > > If Sonatype have identified an error in the report (I've looked but > can't see one) then Sonatype should report it to the Tomcat security > team via the usual channel (secur...@tomcat.apache.org). > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
