DependencyCheck
DependencyCheck copied to clipboard
jeremylong
[FP]: spring-security-oauth2-authorization-server is mistaken for other Spring projects
Package URl
pkg:maven/org.springframework.security/[email protected]
CPE
cpe:2.3:a:pivotal:spring_security_oauth:0.3.1:*:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security:0.3.1:*:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security_oauth:0.3.1:*:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_security:0.3.1:*:*:*:*:*:*:*
CVE
CVE-2018-1260, CVE-2022-22978, CVE-2021-22112, CVE-2018-15758, CVE-2022-22969, CVE-2022-22976
ODC Integration
{"label"=>"Gradle Plugin"}
ODC Version
7.1.1
Description
From the CVE descriptions this sounds to me as if CPEs for
- regular Spring Security are matched against the 0.3.1 version (it actually depends on 5.7.1: https://github.com/spring-projects/spring-authorization-server/blob/0.3.1/gradle.properties#L6)
- the old EOL legacy Security OAuth (https://github.com/spring-attic/spring-security-oauth) also match
Maven Coordinates
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-authorization-server</artifactId>
<version>0.3.1</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #4737
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring-security-oauth2-authorization-server@.*$</packageUrl>
<cpe>cpe:/a:pivotal:spring_security_oauth</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2823348917
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
FYI I need to list these 3 CPEs in my suppression for it to work:
<cpe>cpe:/a:pivotal:spring_security_oauth</cpe>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
<cpe>cpe:/a:vmware:spring_security</cpe>