https://lnkd.in/dCsRaXt8
An interesting story with #node-ip of the last few days has raised the problem of false CVE reports again. The developer of the library, Fyodor Indutny, has moved the repository with the project to ridonli. This happened after the latter encountered problems following a CVE report, the severity of which Indutny unsuccessfully tried to dispute for several months.
After the publication, the number of node-ip downloads dropped from 30 million to 17 million per week, and the false CVE caused a warning when building projects, which began to be reported en masse by users. As a result, the project was archived, thus making the news, and GitHub finally managed to get a downgrade. Access to the repository has now been restored (https://lnkd.in/d83kMqbK), and there are those willing to help revoke the CVE. But the problem of attackers, novice researchers gaining vulnerabilities in their portfolios by dubious methods, and lags in interaction between industry participants remains. And, most likely, it will only grow, continuing to wear out developers' nerves.
#falsepositive #false #cve #reputation #github #nodeip