4 comments

[ 2.7 ms ] story [ 22.1 ms ] thread
Articulate post on the problems with bogus CVEs
From issue:

    * Checkmarkx (security vendor) reported bogus cve in april / may
    * Maintainers didn't agree the cve was real so they ignored it
    * Snyk and other automated scanners start harassing users about the cve
    * Users are annoyed by scanners and scary messages from all kinds of tools
    * Users start messaging devs, also devs of dependent packages which use micromatch
    * Hundreds, maybe thousands of hours are wasted


    In the end, the situation erodes trust into automated scanners. This is "a boy who've cried wolf" type of situation. When useless vulnerabilities get promoted, it's easy to lose track of something more important.


    Besides automated scanners, checkmarx should also be held responsible for this waste of everyone's time.