Closed githubuserVenkat closed 3 weeks ago
Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8812387675
Hi!
Thank you for raising this issue. This is due to a limitation in DependencyCheck already raised in #1827, the tool does not use the AND
capabilities provided by NVD. I am going to close this issue as a duplicate. If you wish to participate into adding this feature, feel welcome! In the meantime, you can use a custom exclusion rule for this CVE in your project if you do not want to have it being raised by DependencyCheck.
Kind regards
Package URl
pkg:maven/org.springframework/spring-framework@5.3.24
CPE
cpe:2.3:a:pivotal_software:spring_security:5.7.6:::::::*
CVE
CVE-2018-1258
ODC Integration
None
ODC Version
9.1.0
Description
As per NVD, Spring Framework version 5.0.5 with combination of any Spring Security version is vulnerable to this CVE, but we use Spring Framework version 5.3.24 which is not vulnerable.
Note : Package URL was missing in the OWASP scan result, since it is mandatory to provide a package URL to create a issue in GitHub