false vulnerability on redis-commander NSWG-ECO-362

[ktzsolt]

Hi Team!

There is this alleged vulnerability: https://github.com/nodejs/security-wg/blob/main/vuln/npm/362.json

The json contains the following for redis-commander

security-wg/vuln/npm/362.json

Lines 14 to 15 in f2b2be5

	"vulnerable_versions": "<=0.13.12",
	"patched_versions": null,

There is no 0.13.12 version for redis-commander, the newest version is 0.9.1:
https://github.com/joeferner/redis-commander/tags
https://github.com/joeferner/redis-commander/pkgs/container/redis-commander
and 0.9.0 on npm
https://www.npmjs.com/package/redis-commander?activeTab=versions

The issue was discussed and closed with resolution in this hackerone thread: https://hackerone.com/reports/296377
And gh issue is opened in the projet repo: joeferner/redis-commander#227
The gh issue is closed, this comment shows it is fixed: joeferner/redis-commander#227 (comment)
The clipboard.swf file is indeed removed since v0.5.0 version (git tag) with this commit: joeferner/redis-commander@1a483eb

Please update the file https://github.com/nodejs/security-wg/blob/main/vuln/npm/362.json based on this information because Trivy is picking up this vulnerability as unknown severity thus reporting it as a false positive: aquasecurity/trivy#10024 (comment)

Thank you!

[RafaelGSS]

Hi,

The npm database is not updated for quite a while, I guess we could simply remove it.

cc: @nodejs/security-wg