NVD Report Correction not Appearing in Dependency Track at Reanalysis #6058
-
|
Recently the BouncyCastle java libraries were reported with CVE-2026-5598 which on initial entry had incorrect version information so that even if you were on the latest version of 1.84, which is the version where this particular CVE was corrected, so that Dependency Track sent a notification that there we have an open CVE. Later BouncyCastle updated the CVE to include the correct information. It has been 2 days now and I see that my Dependency Track has at least updated its CVE listings from NVD, but even though I've requested it to perform reanalysis of the project I'm still seeing the CVE listed for that project. I know I can suppress it as a false positive, but I would like to know if there's a reason that the updated NVD listings are not being passed to the analysis of my project? Is this a failure of the NVD not providing the changes, or does Dependency Track not parse these changes? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
This is likely caused by #5460 |
Beta Was this translation helpful? Give feedback.
-
|
Thank you. I'm glad to hear it is a known issue. I'll simply suppress it locally. |
Beta Was this translation helpful? Give feedback.
This is likely caused by #5460