CVE-2020-15250 doesn't affect versions prior to 4.7 but claims it did

[bodewig]

GHSA-269g-pwp5-87pp says it affects any version prior to 4.13.1 which is not true as rules didn't exist before 4.7. So the proper range would be 4.7 up to 4.13.

This is probably not terribly important but it caused dependabot to cry wolf on projects that are (deliberately) still using older versions - like extensions for JUnit 3 that happen to be still maintained. The same is/will soon be true for a bunch of other static code analyzers checking oldish code bases.

[marcphilipp]

Thanks for raising the issue! You're right, of course.

@JLLeitschuh I changed it here but that doesn't seem to update the published advisory. Do you know how that can be achieved?

[JLLeitschuh]

I'll send an email

[bodewig]

Many thanks @marcphilipp and @JLLeitschuh . The advisory has been updated.

[gamma]

Sorry to bother here, but it seems that the given CVE is still recognised by OSSINDEX for version 4.13.1, see https://ossindex.sonatype.org/component/pkg:maven/junit/junit@4.13.1

[marcphilipp]

I raised OSSIndex/vulns#127 to get it fixed.