Request for information - please give an example of a Maven Java dependency vuln that requires pagination

[jimshowalter]

We think we've implemented pagination correctly, but without an actual example our testing is relying on mocking.

We want to test it for real.

[andrewpollock]

Hello,

Unfortunately I don't think such an example exists in the wild:

I just grabbed gs://osv-vulnerabilities/Maven/all.zip, and:

$ cat *.json | jq -r '.affected[].package.name' | sort | uniq -c | sort -rn  | head -20
    346 org.jenkins-ci.main:jenkins-core
    339 org.apache.tomcat:tomcat
    141 com.fasterxml.jackson.core:jackson-databind
     86 org.apache.tomcat.embed:tomcat-embed-core
     72 org.apache.struts:struts2-core
     62 org.xwiki.platform:xwiki-platform-oldcore
     50 org.eclipse.jetty:jetty-server
     49 org.springframework.security:spring-security-core
     49 org.elasticsearch:elasticsearch
     46 org.keycloak:keycloak-core
     44 io.undertow:undertow-core
     38 com.thoughtworks.xstream:xstream
     37 org.xwiki.platform:xwiki-platform-web-templates
     36 org.springframework:spring-core
     36 com.jfinal:jfinal
     35 net.mingsoft:ms-mcms
     33 org.apache.solr:solr-core
     33 com.vaadin:vaadin-bom
     32 com.vaadin:flow-server
     31 org.jenkins-ci.plugins:script-security

Pagination only kicks in at 1,000 vulnerabilities

[jimshowalter]

I suspected that might be the case. Thanks!