search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.44k stars 1.28k forks source link

Jaxws-spring jar is mentioned as vulnerable in recent scans #5697

Open maniprabu101993 opened 1 year ago

maniprabu101993 commented 1 year ago

We are using org.jvnet.jax-ws-commons.spring» jaxws-spring in our project and we see this jar is detected as vulnerable for multiple CVE's. The list of CVE's mentioned by the OWASP dependency check is mentioned below. CVE-2023-20861 CVE-2022-22971 CVE-2022-22970 CVE-2022-22968 CVE-2022-22965 CVE-2022-22950 CVE-2018-15756 CVE-2018-1275 CVE-2018-1272 CVE-2018-1271 CVE-2018-1270 CVE-2018-1257 CVE-2016-9878 CVE-2016-5007 CVE-2015-5211 CVE-2015-3192 CVE-2011-2730 CVE-2009-1190. While analyzing all the CVE's ,its related to the spring framework related jars and not the jaxws-spring. The last version for this jar is 1.9 version which is released in 2013 after that there is no new version available. Is it really a vulnerable one or its false positive? It would be helpful if some knows some details about this jaxws-spring.

OrangeDog commented 1 year ago

They're all false positives, yes. The jar has been incorrectly assigned a CPE for spring-framework, which is what you'll need to suppress.

jaxws-spring seems to be pretty old and obsolete. spring-ws has existed since 2007 and is in active development. jaxws-spring may be full of vulnerabilities you're not aware of.

goshigaming commented 3 months ago

They're all false positives, yes. The jar has been incorrectly assigned a CPE for spring-framework, which is what you'll need to suppress.

jaxws-spring seems to be pretty old and obsolete. spring-ws has existed since 2007 and is in active development. jaxws-spring may be full of vulnerabilities you're not aware of.

Which library can replace jaxws-spring?

OrangeDog commented 3 months ago

Which library can replace jaxws-spring?

spring-ws.

But if you're using jaxws-spring you must be on Spring 4 or older, which is also unsupported and full of vulnerabilities.

goshigaming commented 3 months ago

Which library can replace jaxws-spring?

spring-ws.

But if you're using jaxws-spring you must be on Spring 4 or older, which is also unsupported and full of vulnerabilities.

Yes, I want to completely replace jaxws-spring because org.jvnet.jax-ws-commons.spring:jaxws-spring stopped supporting 11 years ago. Currently jaxws-spring version 1.9 cannot work with Spring 6. But migrating from jaxws-spring to spring-ws is not easy.