Add Spring Security Advisories as data source for GHSA database

[sym-stiller]

Hi there!

We have noticed that some CVEs affecting Spring libraries are not reported by Dependabot. This is caused by the fact that some CVEs are taking a long time to be included in the National Vulnerabilities Database(NVD) with a full description and CVSS score. As far as I know, the NVD is currently the only data source used by the GHSA database which will contain Java- and Spring-related vulnerabilities.

One example which was not reported by Dependabot: CVE-2024-38809. This CVE affects org.springframework:spring-web in most versions prior to 6.1.12. This CVE is reported as reserved in the MITRE CVE database, but its details have not been published yet. It is not published in the NVD too, which leads to Dependabot failing to recognize it when scanning our Spring repositories.

Thanks to the wonderful Github Enterprise support, this CVE has now received an entry in the GHSA database, while it is still not included in the NVD: Link to GHSA

To avoid such situations in the future, I'd suggest to use Spring Security Advisories as an additional data source for the GHSA database. The CVE mentioned above has been published there for over a month before it was added to the GHSA database: Spring Security Advisory for CVE-2024-38809

Me and my colleagues think this would be a valuable addition to the GHSA database. Spring is widely used and many organizations use Dependabot to scan their Spring projects. What do the maintainers of the GHSA database think about our suggestion?

[sampion88]

I totally agree! Again a few days ago the same happened with CVE-2024-38819