Incorrect vulnerability details

[eleftherias]

Vulnerability URL

https://ossindex.sonatype.org/vulnerability/b2d59cf3-c3d9-4d25-af38-59224eb99ce1

Component URL

https://ossindex.sonatype.org/component/pkg:maven/org.springframework.security/spring-security-core

Description I believe this report is incorrect. There is nothing in the associated issue to indicate a vulnerability https://github.com/spring-projects/spring-security/pull/9931 Perhaps the issue title triggered this report to be created, but the change consists only of a null check on configuration metadata, as can be seen in the linked PR.

[ken-duck]

Hi! Sorry for the delay, but I respond with good news.

OSS Index is going through a major upgrade, as described here: https://ossindex.sonatype.org/updates-notice

The most clear and obvious benefit is far fewer false negatives and false positives, and vulnerabilities will be added to the system on a much more frequent and rapid basis. Once the upgrade is completed you should see most (if not all) of the reported data issues be resolved.

[savek-cc]

@ken-duck what is the process to get the actual issue https://ossindex.sonatype.org/vulnerability/b2d59cf3-c3d9-4d25-af38-59224eb99ce1 removed from the database (as the whole thing is a false positive (as in "there is no issue") - and not just some issue assigned to the wrong purl or cpe?

[ken-duck]

Once we move to the new system (probably only 2-3 weeks or so), then it will disappear automatically. The new data stream is much more deeply researched and has very few false positives.

[aikebah]

@ken-duck any ETA on when the new system will appear?

[aikebah]

@ken-duck Just validated that this is resolved (at least for the cases reported as false-positive to OWASP DependencyCheck project. In my view the issue can be closed now that the new data stream is live.

[ken-duck]

Oh! Thanks for letting me know. The move to the new system caused a bit of chaos and some things dropped off my pile; sorry for not following up, and thanks very much for the help!