Incorrect vulnerability details

[pwagland]

Vulnerability URL: https://ossindex.sonatype.org/vulnerability/CVE-2020-5408

Component URL: https://ossindex.sonatype.org/component/pkg:maven/org.springframework.security/spring-security-crypto@5.7.1

Description This issue is marked as affecting 5.7.1, however the description of the issue mentions that it only affects:

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16.

5.7.1 should not be marked as being affected by this issue.

[carlosromero68]

Please update.

[ken-duck]

Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

[ken-duck]

Sonatype deep dive research deemed the fix to be insufficient, hence all versions are being implicated. Specifically:

The Sonatype security research team discovered that this issue is not yet fixed as new versions simply @Deprecated the vulnerable method, as mentioned in the advisory as opposed to replacing it with a safe alternative. Therefore, these are still flagged as vulnerable.

This is important to note, as though your code might avoid the deprecated APIs, any library you use that itself (or transitively) use the vulnerable APIs would continue to be vulnerable.

It is my understanding that release 6.x of the library will likely completely remove the APIs and therefore resolve the problem.

There is an upcoming feature in OSS Index that will provide this "deviation" explanation when OSS Index deviates from the CVEs.