How to get the latest vulnerable (or the first non-vulnerable) version of the dependency?

[rsholokh]

Hey guys! Please tell me if there is any way to get the last vulnerable (or first non-vulnerable) version of dependency, like "versionEndExcluding" in OWASP dependency-check? The standard UI just shows the last existing version of the dependency.

[msymons]

@rsholokh, you refer to Dependency-Check... I assume that this is a typo. Correct?

Asuuming that your question is about Dependency-Track, then the information you seek is available in DT as long as you have enabled GitHub Advisories as a vulnerabiliry source.

Example, GHSA-r38f-c4h4-hqq2 (affecting postgresql).

When viewing the vulnerability in DT, click on "View Details" and then, in the resulting dialog, select "Affected Components":

If you click on the GHSA link above then you will see that what is listed in DT matches what is in the original GHSA vulnerability listing

This GHSA vulnerability is aliased to CVE-2022-31197. In DT, CVE-2022-31197 will report this for "Affected Components":

Not nearly so useful... but that is the limitations of CPE and NVD for you.