[FP]: Spring Security for CVE-2018-1258

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

5.93k stars 1.21k forks source link

[FP]: Spring Security for CVE-2018-1258 #6625

Closed githubuserVenkat closed 3 weeks ago

githubuserVenkat commented 3 weeks ago

Package URl

pkg:maven/org.springframework/spring-framework@5.3.24

CPE

cpe:2.3:a:pivotal_software:spring_security:5.7.6:::::::*

CVE

CVE-2018-1258

ODC Integration

None

ODC Version

9.1.0

Description

As per NVD, Spring Framework version 5.0.5 with combination of any Spring Security version is vulnerable to this CVE, but we use Spring Framework version 5.3.24 which is not vulnerable.

Note : Package URL was missing in the OWASP scan result, since it is mandatory to provide a package URL to create a issue in GitHub

github-actions[bot] commented 3 weeks ago

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8812387675

nhumblot commented 3 weeks ago

Hi!

Thank you for raising this issue. This is due to a limitation in DependencyCheck already raised in #1827, the tool does not use the AND capabilities provided by NVD. I am going to close this issue as a duplicate. If you wish to participate into adding this feature, feel welcome! In the meantime, you can use a custom exclusion rule for this CVE in your project if you do not want to have it being raised by DependencyCheck.

Kind regards