Open vincenzo-scia opened 2 weeks ago
https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/dependencycheck-base-suppression.xml is the bundled suppressions file. I see nothing that would suppress this if it were being incorrectly detected.
DependencyCheck Maven (version 7.4.4)
is massively outdated and unsupported. Upgrade to latest 9.x and check again.
Also note that NIST does not mark Spring framework as affected, but Sa-Token when running on Spring
Also note that NIST does not mark Spring framework as affected, but Sa-Token when running on Spring
Correct, thank you. What led me astray was the detail page of cpe:2.3:a:vmware:spring_framework:6.0.17 which (in my eyes) seemed to ascribe CVE-2023-44794 directly to Spring Framework:
The detail page of CVE-2023-44794 explains more precisely what you stated above.
According to NIST NVD, spring_framework 6.0.17 (or more in general spring_framework > 5.3.0) is affected by CVE-2023-44794 (source: https://nvd.nist.gov/vuln/detail/CVE-2023-44794). However, DependencyCheck Maven (version 7.4.4) is not reporting this CVE for spring_framework 6.0.17.
Question: do you marked this as a false positive on the basis of what stated in this issue https://github.com/spring-projects/spring-framework/issues/31862?