Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FP]: CVE-2022-22976 in spring-security-oauth2-2.5.2.RELEASE.jar #4577

Closed
OrangeDog opened this issue Jun 7, 2022 · 3 comments · Fixed by #4584
Closed

[FP]: CVE-2022-22976 in spring-security-oauth2-2.5.2.RELEASE.jar #4577

OrangeDog opened this issue Jun 7, 2022 · 3 comments · Fixed by #4584
Assignees
@aikebah
Labels
FP Report maven changes to the maven plugin
Milestone
7.1.1

Comments

@OrangeDog
Copy link

Package URl

pkg:maven/org.springframework.security.oauth/spring-security-oauth2@2.5.2.RELEASE

CPE

cpe:2.3:a:vmware:spring_security:2.5.2:release:*:*:*:*:*:*

CVE

CVE-2022-22976

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

7.1.0

Description

Multiple related and sub-projects are incorrectly detected as vmware:spring_security.
@github-actions
Copy link
Contributor

github-actions bot commented Jun 7, 2022

Maven Coordinates

<dependency>
   <groupId>org.springframework.security.oauth</groupId>
   <artifactId>spring-security-oauth2</artifactId>
   <version>2.5.2.RELEASE</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4577
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.springframework\.security\.oauth/spring-security-oauth2@.*$</packageUrl>
   <cpe>cpe:/a:vmware:spring_security</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/2454156802

@github-actions github-actions bot added the maven changes to the maven plugin label Jun 7, 2022
@aikebah
Copy link
Collaborator

aikebah commented Jun 8, 2022

Will resolve this FP, but you are adviced to replace it by SpringSecurity's native oauth support, as this project is archived as per https://github.com/spring-attic/spring-security-oauth

@aikebah aikebah self-assigned this Jun 8, 2022
aikebah added a commit that referenced this issue Jun 8, 2022
@aikebah
Extend suppressed CPEs for spring-security-oauth2 library
629bf74 
Fixes #4577
@aikebah aikebah added this to the 7.1.1 milestone Jun 8, 2022
@OrangeDog
Copy link
Author

Yes, I know. When spring-authorization-server finally has feature parity I'll start planning an upgrade, In the meantime it's very important to have accurate vulnerability analysis of it, as any fixes I'll have to do myself.

@aikebah aikebah mentioned this issue Jun 8, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aikebah aikebah

Labels
FP Report maven changes to the maven plugin
Projects
None yet
Milestone
7.1.1
Development

Successfully merging a pull request may close this issue.

Fp fixes jeremylong/DependencyCheck
2 participants
@OrangeDog @aikebah