Open vincenzo-scia opened 2 weeks ago
OrangeDog
commented
2 weeks ago https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/dependencycheck-base-suppression.xml is the bundled suppressions file. I see nothing that would suppress this if it were being incorrectly detected.
aikebah
commented
1 week ago DependencyCheck Maven (version 7.4.4)
is massively outdated and unsupported. Upgrade to latest 9.x and check again.
aikebah
commented
1 week ago Also note that NIST does not mark Spring framework as affected, but Sa-Token when running on Spring
vincenzo-scia
commented
1 week ago Also note that NIST does not mark Spring framework as affected, but Sa-Token when running on Spring
Correct, thank you. What led me astray was the detail page of cpe:2.3:a:vmware:spring_framework:6.0.17 which (in my eyes) seemed to ascribe CVE-2023-44794 directly to Spring Framework:
The detail page of CVE-2023-44794 explains more precisely what you stated above.
According to NIST NVD, spring_framework 6.0.17 (or more in general spring_framework > 5.3.0) is affected by CVE-2023-44794 (source: https://nvd.nist.gov/vuln/detail/CVE-2023-44794). However, DependencyCheck Maven (version 7.4.4) is not reporting this CVE for spring_framework 6.0.17.
Question: do you marked this as a false positive on the basis of what stated in this issue https://github.com/spring-projects/spring-framework/issues/31862?