Trivy does not detect CVE-2023-20873 #6901
-
Descriptionhttps://avd.aquasec.com/nvd/2023/cve-2023-20873/ org.springframework.boot:spring-boot-autoconfigure , 2.3.12.RELEASE is known to have a vulnerability CVE-2023-20873,but trivy does not detect it. Only CVE-2023-20883 is currently being reported. Even the aqua sec db has the start version as Desired BehaviorCVE-2023-20873 should have been reported in the scan results Actual BehaviorCVE-2023-20873 not reported in the scan results Reproduction Steps1.created a pom.xml with org.springframework.boot:spring-boot-autoconfigure , 2.3.12.RELEASE
<!-- pom.xml -->
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>spring-boot-actuator-example</artifactId>
<version>1.0.0</version>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.12.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<dependencies>
<!-- Spring Boot Web -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- Spring Boot Actuator -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-actuator-autoconfigure</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project> 2.Perform a filesystem scan
Operating SystemmacOS Sonoma VersionVersion: 0.50.1
Vulnerability DB:
Version: 2
UpdatedAt: 2024-04-10 00:14:40.397672298 +0000 UTC
NextUpdate: 2024-04-10 06:14:40.397671937 +0000 UTC
DownloadedAt: 2024-04-10 05:37:58.886042 +0000 UTC
Java DB:
Version: 1
UpdatedAt: 2023-09-11 00:53:00.064262708 +0000 UTC
NextUpdate: 2023-09-14 00:53:00.064262008 +0000 UTC
DownloadedAt: 2023-09-11 19:22:04.868176 +0000 UTC Checklist
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
Hellol @namandf We use GitHub database use the following ranges: If you sure that versions prior to Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
Hellol @namandf
Thanks for your report!
We use
GitHub advisory database
forjava
package (https://aquasecurity.github.io/trivy/v0.52/docs/scanner/vulnerability/#data-sources_1).GitHub database use the following ranges:
If you sure that versions prior to
2.5.0
are vulnerable - please suggest changes on GitHub - https://github.com/advisories/GHSA-g5h3-w546-pj7f/improveRegards, Dmitriy