New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential security vulnerabilities based on OWASP Dependency Check [BATCH-2748] #856
Comments
Mahmoud Ben Hassine commented Thank you for reporting this out! Can you share the details of each vulnerability so we see where it is happening? The screenshot is good but not very helpful to see the details of each issue. |
Michael Minella commented Please provide your full report. I just ran this against the Spring Batch project and the only vulnerable dependency it found was against Spring Framework 4.1.0 which we can upgrade to a new point release to address. I've attached the report for reference. |
Petr Dvorak commented Hello Michael, please find our full OWASP Dependency-Check report in the attachment [^dependency-check-report-wultra.html] |
Petr Dvorak commented Michael Minella Looking at the reports, the issues are really only in Spring Framework 4.0.1, there is a couple of vulnerabilities. Other issues are in other libraries that we will update independently. |
Michael Minella commented The question here is why the report is saying that Spring Batch 4 depends on Spring Framework 4 since Spring Batch 4 depends on Spring Framework 5. I'll need to do some digging to see what's going on but I believe this is a false positive. Can you confirm in your project what version of Spring Framework is being brought in and how? |
Petr Dvorak commented We use Spring Boot (2.0.4.RELEASE), the full pom.xml file is available here: https://github.com/wultra/powerauth-push-server/blob/develop/pom.xml After analyzing it in more detail, it really seems like a false positive - the tool is too much focused on using keywords "spring" and "4.0.1" together and does not see that "spring-batch-core" is actually a standalone library that depends on "spring-core" in version "5.0.8".
|
Michael Minella commented That's what I thought. I'm going to close this issue as not an issue. We can re-open it if you provide us with additional information showing that Spring Batch 4 is bringing in a dependency that is vulnerable. |
Petr Dvorak commented Thank you for the evaluation Michael Minella - we will try to analyze the dependencies better on our end next time, so that we do not flood you with invalid issue reports. |
Petr Dvorak opened BATCH-2748 and commented
After performing an OWASP Dependency Check on our project, we have discovered that there are possible security vulnerabilities in the "core" project (4.0.1.RELEASE), some of them with high severity.
!Screen Shot 2018-08-29 at 17.56.14.png|width=383,height=226!
Could you please have a look and possibly fix the issues, at least those with the highest severity? Or - in case these are false positives - comment on the issues?
Affects: 4.0.1
Attachments:
The text was updated successfully, but these errors were encountered: