[FP]: Spring Security for CVE-2018-1258 #6625

githubuserVenkat · 2024-04-24T07:00:26Z

Package URl

pkg:maven/org.springframework/spring-framework@5.3.24

CPE

cpe:2.3:a:pivotal_software:spring_security:5.7.6:::::::*

CVE

CVE-2018-1258

ODC Integration

None

ODC Version

9.1.0

Description

As per NVD, Spring Framework version 5.0.5 with combination of any Spring Security version is vulnerable to this CVE, but we use Spring Framework version 5.3.24 which is not vulnerable.

Note : Package URL was missing in the OWASP scan result, since it is mandatory to provide a package URL to create a issue in GitHub

github-actions · 2024-04-24T07:01:59Z

Failed to automatically evaluate the false positive. See: https://github.com/jeremylong/DependencyCheck/actions/runs/8812387675

nhumblot · 2024-04-25T04:50:46Z

Hi!

Thank you for raising this issue. This is due to a limitation in DependencyCheck already raised in #1827, the tool does not use the AND capabilities provided by NVD. I am going to close this issue as a duplicate. If you wish to participate into adding this feature, feel welcome! In the meantime, you can use a custom exclusion rule for this CVE in your project if you do not want to have it being raised by DependencyCheck.

Kind regards

githubuserVenkat added the FP Report label Apr 24, 2024

nhumblot closed this as completed Apr 25, 2024

nhumblot self-assigned this Apr 25, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[FP]: Spring Security for CVE-2018-1258 #6625

[FP]: Spring Security for CVE-2018-1258 #6625

githubuserVenkat commented Apr 24, 2024

github-actions bot commented Apr 24, 2024

nhumblot commented Apr 25, 2024

[FP]: Spring Security for CVE-2018-1258 #6625

[FP]: Spring Security for CVE-2018-1258 #6625

Comments

githubuserVenkat commented Apr 24, 2024

Package URl

CPE

CVE

ODC Integration

ODC Version

Description

github-actions bot commented Apr 24, 2024

nhumblot commented Apr 25, 2024