False Positives identified with Pandas versions

[aja08379]

Current Behavior

DependencyTrack is currently identifying vulnerabilities in versions of Pandas that do not contain them.

Steps to Reproduce

1. Upload the test SBOM attached (example.txt)to an example project, using the application classifier.
   example.txt

2. Check the Audit Vulnerabilities tab. Here you will see CVE-2020-13091 is listed for each Pandas version. The description begins:

pandas through 1.0.3

3. Note that all the Pandas versions listed are later than the vulnerable version.

Expected Behavior

This vulnerability should not be listed.

Dependency-Track Version

4.8.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[aja08379]

@nscuro received notice that this has been resolved as part of #2315. However, checking the latest dev release (dependencytrack/apiserver:3357-refactor-bom-processing) from #3357, the issue is still present. Also seeing it with other packages e.g

Can share the full SBOM we're scanning privately if needed. The example SBOM attached at the top also still shows the same incorrect behaviour in the latest dev release.

[ddresser]

I'm seeing this with pandas 2.2.2 and DependencyTrack 4.11.5

[samholton]

Still seeing this issue in 4.11.7