Spring-boot: Vulnerabilities in springboot 1.5.7

Spring Boot depends on com.vaadin.external.google:android-json, but none of the listed CVEs are about this library. The listed CVEs about Tomcat are about configuration on Linux distributions - or a bug linked to Tomcat 8.0.18. As for that last one, it's about Drupal (also, see jeremylong/dependency-check-gradle#55).

I'm closing this one as invalid for now; please reopen this issue if you've got a confirmed CVE against a dependency.

There's no scheduled date for 1.5.8 for now, but you can always check our public release schedule on the dedicated page.

I was typing this at the same time as the update above from @bclozel but I think it's still worth saying.

Unfortunately, the OWASP dependency check is notorious for producing very large numbers of false positives. We simply don't have time to guide every user through those false positives on the off-chance that there is a genuine vulnerability. Please see #9997 for further details, including some analysis that shows that the following are all false positives:

• CVE-2016-5425
• CVE-2016-6325
• CVE-2017-6056

Great, thanks for the quick update guys

So, can we assume that if i am using the latest available version of springboot, all the dependencies there will have no known vulnerabilities?

We can't guarantee that the latest available version will have no known vulnerabilities in the managed dependencies, but that is what we aim for. I would always recommend doing your own due diligence on your application's dependencies to check for vulnerabilities, hopefully using a tool that will produce more accurate results than the OWASP dependency checker… And, if Spring Boot hasn't quite caught up, you can always override the dependency version in your pom.xml or build.gradle.

Thanks Andy

I thought dependency check was the most accurate tool to do it. Is there
any other tool you can suggest?

Thanks

El El jue, 12 oct 2017 a las 17:16, Andy Wilkinson notifications@github.com
escribió:

We can't guarantee that the latest available version will have no known
vulnerabilities in the managed dependencies, but that is what we aim for. I
would always recommend doing your own due diligence on your application's
dependencies to check for vulnerabilities, hopefully using a tool that will
produce more accurate results than the OWASP dependency checker… And, if
Spring Boot hasn't quite caught up, you can always override the dependency
version in your pom.xml or build.gradle.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/spring-projects/spring-boot/issues/10620#issuecomment-336187738,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AMK55q0-zXAstxw5y7kvnpgKp8qk-dMWks5srjt0gaJpZM4P3Nvv
.

Tools like that are useful if you want a list of potential security issues. Like Andy said, they often lead to a lot of false positives because 1) tools can be flawed 2) it's hard to parse automatically those CVE reports 3) very often those CVEs are linked to a particular platform or configuration setup. Ultimately, you have to check potential issues manually.

For example, CVE-2017-12617 applies to Tomcat 8.5.0 to 8.5.22, if and only if you've setup the DefaultServlet readOnly attribute to false, which is not the default (and Spring Boot keeps the sane default). Spring Boot 1.5.8 SNAPSHOT is already on 8.5.23, as we try to keep up with the latest stable versions anyway.