Closed carlosromero68 closed 2 years ago
This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.
Sonatype Deep Dive research determined that the vulnerable files were deprecated but are still being shipped in the package thus it is still possible to use them. The files are expected to be completely removed in 6.0.0 which is yet to be released.
We will be upgrading OSS Index to output this "deviation notice" information soon, where we deviate from the CVE (and why).
Vulnerability URL Provide the URL to the vulnerability. For example:
https://ossindex.sonatype.org/vulnerability/CVE-2016-1000027?component-type=maven&component-name=org.springframework%2Fspring-web&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Component URL Provide the URL to the component. For example:
https://ossindex.sonatype.org/component/pkg:maven/org.springframework/spring-web@5.3.21?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Description
Building using spring-web 5.3.21 shows vulnerability even though vulnerability description says up to 5.3.16.
org.springframework:spring-web:jar:5.3.21:compile; https://ossindex.sonatype.org/component/pkg:maven/org.springframework/spring-web@5.3.21?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
https://mvnrepository.com/artifact/org.springframework/spring-web/5.3.21 does not show any vulnerabilities.