Sonatype IDs Explained
Sonatype assigns its own IDs (SONATYPE-YYYY-####) to vulnerabilities when:
- No CVE exists: To provide immediate alerts for vulnerabilities discovered from various sources (GitHub, blogs, etc.) before a CVE is assigned.
- Multiple CVEs exist for a single flaw: To consolidate related CVEs and reduce duplicate alerts (e.g., Jackson Databind, ZIP Slip).
- Malware is detected: To quickly report malicious components found by Sonatype's automated systems.
Key points:
- Sonatype IDs allow faster vulnerability reporting.
- If a CVE is later assigned, it's added as a note, not replacing the Sonatype ID, to avoid duplicate notifications and waivers.
- Many vulnerabilities reported via GitHub "Issues" never recieve a CVE, so Sonatype IDs are used to track them.
Common Questions about Sonatype IDs
What are Sonatype IDs?
-
- They are proprietary identifiers assigned by Sonatype to vulnerabilities.
Why does Sonatype use its own IDs?
-
- To provide immediate alerts when a CVE is not yet available.
- To consolidate multiple CVEs related to the same vulnerability.
- To quickly report malware detections.
What happens when a CVE is later assigned?
-
- The CVE is added as a note to the Sonatype ID, not as a replacement.
Why not just use CVEs?
-
- Many vulnerabilities, especially those from GitHub "Issues," never receive CVEs.
- Using Sonatype IDs reduces duplicate alerts.