Security Alerts

We tried putting a few entries in pom.xml which have known vulnerabilities, but Github shows alerts for only a few of them.  For e.g., Commons Collections 3.2.1 has a known vulnerability. But the alert is not shown for this.

Please advise if the alerts are for selective jars or it covers all CVE vulnerabilities.

Hi @mshadab-adeptia,

Thanks for being here! 

GitHub uses the following sources to track vulnerabilities in packages from supported languages:

For more information, see “About maintainer security advisories.”

Hi @andreagriffiths11, Thanks for your response. 

In all the sources used to track vulnerabilities, there are some vulnerabilities which are not getting caught. And those vulnerabilities have been mentioned in the MITRE CVE tool. Is there some automated way to ensure that all reported vulnerabilities are caught? Or another option is to manually check all of the jars files one by one.

For e.g. activemq-all(v5.7.0) and commons-collections(v3.2.1) have known vulnerability issues, but it doesn’t give alerts for these jars.

https://www.cvedetails.com/cve/CVE-2017-15708/

https://www.cvedetails.com/cve/CVE-2019-0222/

I got the exactly same question, because I wondered why there is no alert in my project,

which is a small project just for showing vulnerabilities in code and i also use activemq-all 5.7 and javax.servlet 3.1.1

there are definitely vulnerabilities in the NIST Database, because the owasp dependency check finds them