Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential security vulnerabilities based on OWASP Dependency Check [BATCH-2748] #856

Closed
spring-issuemaster opened this issue Aug 29, 2018 · 8 comments

Comments

@spring-issuemaster
Copy link
Collaborator

@spring-issuemaster spring-issuemaster commented Aug 29, 2018

Petr Dvorak opened BATCH-2748 and commented

After performing an OWASP Dependency Check on our project, we have discovered that there are possible security vulnerabilities in the "core" project (4.0.1.RELEASE), some of them with high severity.

!Screen Shot 2018-08-29 at 17.56.14.png|width=383,height=226!

Could you please have a look and possibly fix the issues, at least those with the highest severity? Or - in case these are false positives - comment on the issues?


Affects: 4.0.1

Attachments:

@spring-issuemaster
Copy link
Collaborator Author

@spring-issuemaster spring-issuemaster commented Aug 30, 2018

Mahmoud Ben Hassine commented

Thank you for reporting this out!

Can you share the details of each vulnerability so we see where it is happening? The screenshot is good but not very helpful to see the details of each issue.

@spring-issuemaster
Copy link
Collaborator Author

@spring-issuemaster spring-issuemaster commented Aug 30, 2018

Michael Minella commented

Please provide your full report.  I just ran this against the Spring Batch project and the only vulnerable dependency it found was against Spring Framework 4.1.0 which we can upgrade to a new point release to address.  I've attached the report for reference.

@spring-issuemaster
Copy link
Collaborator Author

@spring-issuemaster spring-issuemaster commented Aug 31, 2018

Petr Dvorak commented

Hello Michael, please find our full OWASP Dependency-Check report in the attachment [^dependency-check-report-wultra.html]

@spring-issuemaster
Copy link
Collaborator Author

@spring-issuemaster spring-issuemaster commented Aug 31, 2018

Petr Dvorak commented

Michael Minella Looking at the reports, the issues are really only in Spring Framework 4.0.1, there is a couple of vulnerabilities. Other issues are in other libraries that we will update independently.

@spring-issuemaster
Copy link
Collaborator Author

@spring-issuemaster spring-issuemaster commented Aug 31, 2018

Michael Minella commented

The question here is why the report is saying that Spring Batch 4 depends on Spring Framework 4 since Spring Batch 4 depends on Spring Framework 5.  I'll need to do some digging to see what's going on but I believe this is a false positive.  Can you confirm in your project what version of Spring Framework is being brought in and how?

@spring-issuemaster
Copy link
Collaborator Author

@spring-issuemaster spring-issuemaster commented Aug 31, 2018

Petr Dvorak commented

We use Spring Boot (2.0.4.RELEASE), the full pom.xml file is available here:

https://github.com/wultra/powerauth-push-server/blob/develop/pom.xml

After analyzing it in more detail, it really seems like a false positive - the tool is too much focused on using keywords "spring" and "4.0.1" together and does not see that "spring-batch-core" is actually a standalone library that depends on "spring-core" in version "5.0.8".

 

@spring-issuemaster
Copy link
Collaborator Author

@spring-issuemaster spring-issuemaster commented Aug 31, 2018

Michael Minella commented

That's what I thought.  I'm going to close this issue as not an issue.  We can re-open it if you provide us with additional information showing that Spring Batch 4 is bringing in a dependency that is vulnerable.

@spring-issuemaster
Copy link
Collaborator Author

@spring-issuemaster spring-issuemaster commented Aug 31, 2018

Petr Dvorak commented

Thank you for the evaluation Michael Minella - we will try to analyze the dependencies better on our end next time, so that we do not flood you with invalid issue reports.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.