Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
False positives on the spring boot 1.4.3 dependencies #642
It looks like the dependency check mismatch the version of the spring artifacts (e.g. spring-boot) and the version of the spring-core artifact, which is vulnerable on a version older than 4.3.5.
The spring framework release to fix the CVE-2016-9878 is 4.3.5, as announced here https://spring.io/blog/2016/12/21/spring-framework-4-3-5-4-2-9-and-3-2-18-available-now and this version is included as part of the spring boot 1.4.3 release.