search

OSSIndex / vulns

Report missing advisories and corrections on OSS Index
17 stars 12 forks source link

Bug: false positive ossindex spring-security-crypto@5.6.5 not affected by CVE-2020-5408 #284

Closed areguru closed 2 years ago

areguru commented 2 years ago

Vulnerability URL

https://ossindex.sonatype.org/vulnerability/CVE-2020-5408?component-type=maven&component-name=org.springframework.security/spring-security-crypto

Component URL

https://ossindex.sonatype.org/component/pkg:maven/org.springframework.security/spring-security-crypto@5.6.5

Description Ref Description on component page: "[CVE-2020-5408] CWE-330: Use of Insufficiently Random Values

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector ..."

According to the description version 5.6.5 is not included in CVE. Either this is a false positive or the CVE description is wrong.

tech-consortium commented 2 years ago

It's also detecting version 5.7.1...

Detected 1 vulnerable components: [ERROR] org.springframework.security:spring-security-crypto:jar:5.7.1:compile; https://ossindex.sonatype.org/component/pkg:maven/org.springframework.security/spring-security-crypto@5.7.1?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 [ERROR] * [CVE-2020-5408] CWE-330: Use of Insufficiently Random Values (6.5); https://ossindex.sonatype.org/vulnerability/CVE-2020-5408?component-type=maven&component-name=org.springframework.security%2Fspring-security-crypto&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 [ERROR]

ken-duck commented 2 years ago

Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.

The research team at Sonatype sent me the following:

The Sonatype security research team discovered that this issue is not yet fixed as new versions simply @Deprecated the vulnerable method, as mentioned in the advisory as opposed to replacing it with a safe alternative. Therefore, these are still flagged as vulnerable.

The problem being that though the issue is deprecated, developers using the library might think just upgrading will solve the problem, or they could be using a library that itself uses spring-security-crypto and have no idea that they are vulnerable.

We are working on some new code on OSS Index that will improve the descriptions and provide this extra context and information when there are deviations. This should be completed in the next 2-3 weeks.