DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

[FP]: Unapplicable CVEs reported for spring-boot-starter-oauth2-resource-server-2.7.0.jar

Open xcq1 opened this issue 2 years ago • 3 comments

Package URl

pkg:maven/org.springframework.boot/[email protected]

CPE

cpe:2.3:a:pivotal:spring_security_oauth:2.7.0:*:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security:2.7.0:*:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security_oauth:2.7.0:*:*:*:*:*:*:*, cpe:2.3:a:vmware:server:2.7.0:*:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_boot:2.7.0:*:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_security:2.7.0:*:*:*:*:*:*:*

CVE

CVE-2022-22978, CVE-2018-1258, CVE-2021-22112, CVE-2022-22976

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

7.1.1

Description

The library spring-boot-starter-oauth2-resource-server-2.7.0.jar actually depends on Spring-Security 5.7.1. This version is not affected by the reported CVEs. It seems as if DependencyCheck assumes Spring-Security 2.7.0 was imported.

xcq1 avatar Jun 21 '22 07:06 xcq1

Maven Coordinates

<dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
   <version>2.7.0</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4617
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring-boot-starter-oauth2-resource-server@.*$</packageUrl>
   <cpe>cpe:/a:pivotal:spring_security_oauth</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2533718827

github-actions[bot] avatar Jun 21 '22 07:06 github-actions[bot]

Please note the bot's suggested suppression rule does not work for me, I have to include both these CPEs for it to work:

        <cpe>cpe:/a:pivotal_software:spring_security</cpe>
        <cpe>cpe:/a:vmware:spring_security</cpe>

xcq1 avatar Jun 21 '22 07:06 xcq1

Running the 7.1.1 gradle plugin doesn't yield the listed CPEs for me (and therefor not the CVEs associated with older versions of spring-security libraries) spring-boot-starter-oauth2-resource-server-2.7.0.jar gets associated only with

cpe:2.3:a:vmware:server:2.7.0:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_boot:2.7.0:*:*:*:*:*:*:*

the first of which is clearly invalid, but not triggering any FP CVEs

aikebah avatar Jul 26 '22 10:07 aikebah

Any news on this? I am having the same problem

alessioerosferri avatar Aug 31 '22 16:08 alessioerosferri

@alessioerosferri can you share an example reproducer gradle project? Because as indicated in my comment... I failed to reproduce it on dependencycheck gradle plugin 7.1.1.

aikebah avatar Aug 31 '22 16:08 aikebah

@aikebah I have tried to boil down the responsible code where I can still reproduce this behavior to this really simple project: https://github.com/xcq1/repro-dc-4617

Running ./gradlew dependencyCheckAnalyze in the repo yields a report with the following line:

spring-boot-starter-oauth2-resource-server-2.7.3.jar (pkg:maven/org.springframework.boot/[email protected], cpe:2.3:a:pivotal:spring_security_oauth:2.7.3:*:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security:2.7.3:*:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security_oauth:2.7.3:*:*:*:*:*:*:*, cpe:2.3:a:vmware:server:2.7.3:*:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_boot:2.7.3:*:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_security:2.7.3:*:*:*:*:*:*:*) : CVE-2022-22978, CVE-2018-1258, CVE-2021-22112, CVE-2022-22976

The GH Actions build seems to produce the same output but unfortunately, it doesn't retain the logs for some reason.

xcq1 avatar Sep 01 '22 14:09 xcq1

@xcq1 Thanks.... that one makes it reproducible to me as well

aikebah avatar Sep 01 '22 19:09 aikebah