Hi, I built the osquery from the latest master branch on ubuntu and upload the built osqueryi for blackduck scanning. It has 4 critical and 27 high vulnerabilities. Most of them are due to outdated dependency libraries. Is there any plan to upgrade those libraries? Thanks!
12/13/2020, 6:04 PM
Can you link to or provide the CVE numbers for the high severity issues?
Which by the way those were ony header usages, and sqlite version was 126.96.36.199
but also, if Black Duck scans all the source it will always find false positives, because not all source is compiled.
I've never used the software/I don't know how intelligent it is, but we would need to know what is doing and what is scanning.
the .csv seems to be saying that what has been scanned is the binary.
In any case, the other versions of sqlite we have in the source (but we don't compile), is sleuthkit and berkeley-db. None of them is version 3.4.2.
Also grepping for "sqlite3_" doesn't show functions defined outside of the ones we already know (the correct one, the berkeley db ones, the sleuthkit ones).