.
Symptom
A CVE identifier that once was being reported on in Nexus Lifecycle now can no longer be found by users when using Vulnerability Lookup tool in Nexus Lifecyle.
Also when viewing component information vulnerabilities details of a report, there may be a dialog explaining the report is out of date and suggesting to run a new scan:
This version of the violation report is outdated. Sonatype IQ Server has updated the vulnerability status for this and other related components. Run a new scan to detect the latest violations.
Explanation
Vulnerabilities are regularly updated. A component may not have any known vulnerabilities today, but something could be found tomorrow. Conversely, something that is considered vulnerable today could be disputed and upon further investigation found to be not vulnerable.
Lifecycle security data is also constantly updated to ensure it is providing as up-to-date info as it can.
The message observed in the Vulnerability Details and not finding the CVE in the Vulnerability Lookup are indicators that this is what happened. To get the latest data, a. new application scan should be performed.
Example Scenario
In the case of commons-codec : commons-codec : 1.14, SONATYPE-2024-013111 was initially created as we received report that this component was vulnerable from one of the sources we ingest from, however when our Security team carried out deep-dive analysis on it, it was found to be a false positive and so the vulnerability was removed from Sonatype data sources.
Advice
To ensure your applications are reporting the most accurate data, setup continuous monitoring for applications and use Lifecycle integrations at various stages of your application lifecycle.