Dependencycheck: CVE-2018-1258 - false positive

Created on 1 Aug 2019  路  3Comments  路  Source: jeremylong/DependencyCheck

Similar to this issue https://github.com/jeremylong/DependencyCheck/issues/1383

False positive on library https://mvnrepository.com/artifact/org.springframework.security/spring-security-core/4.2.13.RELEASE - reported as cpe:2.3:a:pivotal_software:spring_security:4.2.13:*:*:*:*:*:*:*

According to https://pivotal.io/security/cve-2018-1258:
"Users leveraging Spring Framework 4.x (Spring Security 4.x or Spring Boot 1.x) are not impacted so no steps are necessary."

FP Report enhancement
Source
picture benji

Most helpful comment

There are two aspects to this. First, an update request should be made to the NVD for this CVE. If there data is wrong there is not much we can do about it. Second, ODC does not correctly utilize the and/or configurations defined in the NVD JSON data feeds. We should enhance ODC to only flag this if an affected version of Spring is present AND spring-security is present.

picture jeremylong on 3 Aug 2019
👍2

All 3 comments

There are two aspects to this. First, an update request should be made to the NVD for this CVE. If there data is wrong there is not much we can do about it. Second, ODC does not correctly utilize the and/or configurations defined in the NVD JSON data feeds. We should enhance ODC to only flag this if an affected version of Spring is present AND spring-security is present.

jeremylong picture jeremylong on 3 Aug 2019
👍2

I think this is basically a dupe of #1827 which has a fuller explanation of the issue with the AND not being supported.

chadlwilson picture chadlwilson on 8 Aug 2019

@chadlwilson You're absolutely right, closing this one.

benji picture benji on 8 Aug 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Stephan202 picture Stephan202  路  3Comments
dnet picture dnet  路  3Comments
tediroca picture tediroca  路  4Comments
dwvisser picture dwvisser  路  4Comments
Mvbraathen picture Mvbraathen  路  3Comments