Exclude incorrectly reported CVE. This CVE only impacts Express.js versions below 3.21.1. The issue has been reported to Sonatype.

AttilaMihaly · AttilaMihaly · commit 2aa0a40212c7 · 2024-12-03T22:30:49.000+01:00
diff --git a/allow-list.json b/allow-list.json
@@ -3,6 +3,7 @@
         { "id": "sonatype-2012-0022", "reason": "ExpressJs has no intentions of fixing this `HTTP Splitting Attack`" },
         { "id": "CVE-2022-2596", "reason": "Typespec Compiler using node-fetch < 3.2.10" },
         { "id": "sonatype-2022-3677", "reason": "Node-fetch - Exposure of Sensitive Information to an Unauthorized Actor" },
-        { "id": "sonatype-2021-0078", "reason": "After scanning the code we found that we are not using the impacted Express.js functions" }
+        { "id": "sonatype-2021-0078", "reason": "After scanning the code we found that we are not using the impacted Express.js functions" },
+        { "id": "CVE-2024-10491", "reason": "This CVE only impacts Express.js up to version 3.12.1 but the Sonatype database incorrectly stamps every version." }
     ]
 }

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@`
`3`	`3`	{ "id": "sonatype-2012-0022", "reason": "ExpressJs has no intentions of fixing this `HTTP Splitting Attack`" },
`4`	`4`	`{ "id": "CVE-2022-2596", "reason": "Typespec Compiler using node-fetch < 3.2.10" },`
`5`	`5`	`{ "id": "sonatype-2022-3677", "reason": "Node-fetch - Exposure of Sensitive Information to an Unauthorized Actor" },`
`6`		`- { "id": "sonatype-2021-0078", "reason": "After scanning the code we found that we are not using the impacted Express.js functions" }`
	`6`	`+ { "id": "sonatype-2021-0078", "reason": "After scanning the code we found that we are not using the impacted Express.js functions" },`
	`7`	`+ { "id": "CVE-2024-10491", "reason": "This CVE only impacts Express.js up to version 3.12.1 but the Sonatype database incorrectly stamps every version." }`
`7`	`8`	`]`
`8`	`9`	`}`