Michelle-PortSwigger
commented
4 months ago Hi
Thanks for getting in touch.
The BChecks in GitHub are very much a community effort, so if you have suggestions on how a BCheck can be improved you can submit updates even if you are not the original author. You can find more on the process of contributing to the repository here: Contributing
You have a good point about the confidence level. We’d be happy to merge a PR to lower the confidence.
In terms of the false positives, would you feel confident raising a PR to help reduce these? If not, can you describe what you think needs to be done in the logic to increase the accuracy? This might help others in the community submit updates.
Lawlez
PortSwiggerWiener
What is the problem you are trying to solve?
Most of the time when i run scans with Bchecks enabled this Bcheck pops us as a firm issue.
In no case i encountered so far (at least 5 cases) this vuln has actually existed.
I think for one the check itself is way to unspecific, so it matches in lots of cases. Secondly i dont think this should be marked as firm for this reason.
How are you currently being hindered by this problem?
Wasting time in false positive reduction.
How would you like this problem to be solved?
Change BCheck to be tentative not firm and/or Make the Check itself more specific for this vuln if possible.
Any additional details?
BCheck: CVE-2022-22965 Spring Data Binding RCE