anyone know how to fix the following CVE kotlinx-serialization-core-jvm-1.3.2.jar: CVE-2020-29582, CVE-2019-10102, CVE-2019-10101, CVE-2019-10103?

I believe it could be a false positive warning

@Alfy can I ask which tool or source you're using to detect these? • CVE-2020-29582: kotlinx-serialization 1.3.2 doesn't have an explicit dependency on kotlin <1.4.21, so it is indeed a false positive. • CVE-2019-10102: That's for ktor and not kotlinx.serialization • CVE-2019-10101: For kotlin < 1.3.30 • CVE-2019-10103: The IDEA kotlin template (?)

I think I'll go with supressing them, seems like a false postive

In my experience, SonarQube isn't very useful for CVEs. Something like Snyk or Nexus IQ is much better, albeit paid.

I propose snyk to my team, and we're currently thinking about it

The root cause in a lot of causes is, as Sam mentioned before, CPEs. It's a terrible format/specification and most CPEs seem like lazy guess work at best. For example, the CPE for CVE-2021-44228 is `cpe2.3aapachelog4j2.0-::*:*:*:*:*`,* but the actual affected package was

org.apache.logging.log4j:log4j-core

. Tools like Snyk, Nexus IQ, or Jfrog Xray are backed by actual security research teams that not only review the advisories, but translate them to the appropriate affected packages. Tools like SonarQube just dump the NVD feed into your project and make you figure out whether it's a false positive or not. There was a specification created called "Package URL" that was intended to fix the issue. Instead, it seems like NIST went with "SWID" tags, which IMO are just as confusing and bad as CPEs.

lol did not know about that.. still new at this.