0

I have a Play Framework Scala app using version 2.8.2 (current)

When I run the OWASP scanner from https://github.com/albuch/sbt-dependency-check (ver 2.0.0), it flags the following CVE, which was apparently fixed in Play 2.3.9:

https://nvd.nist.gov/vuln/detail/CVE-2015-2156

Is this vuln not in fact fixed in current Play? Or is the vuln scanner misconfigured in some way? How can I fix?

The relevant section in the dependency report looks like this:

shaded-oauth-2.1.2.jar
...
Identifiers
pkg:maven/com.typesafe.play/shaded-oauth@2.1.2  (Confidence:High)
cpe:2.3:a:playframework:play_framework:2.1.2:*:*:*:*:*:*:*  (Confidence:Highest)

The path to this dep in my project dependency tree looks like this:

[info] com.example:my-app_2.12:1.0-SNAPSHOT [S]
[info]   +-com.typesafe.play:filters-helpers_2.12:2.8.2
[info]   +-com.typesafe.play:play-ahc-ws_2.12:2.8.2
[info]   | +-com.typesafe.play:play-ahc-ws-standalone_2.12:2.1.2
[info]   | | | 
[info]   | | +-com.typesafe.play:shaded-oauth:2.1.2

I notice that play-ahc-ws 2.8.2 does indeed depend on several play libs with version 2.1.2, see here: https://mvnrepository.com/artifact/com.typesafe.play/play-ahc-ws_2.13/2.8.2 , including https://mvnrepository.com/artifact/com.typesafe.play/play-ahc-ws-standalone_2.13/2.1.2 Those libs do not have versions published that are later than 2.1.2

Rich
  • 15,048
  • 2
  • 66
  • 119
  • 1
    Not an answer, but somewhat relevant - some of the play stuff is extracted to be an independent library, and usually such projects switch to independent versioning scheme. `play-ahc-standalone` is likely one of such libs - it is released in December 2019, so it's not connected to play 2.1.x – J0HN Jul 03 '20 at 09:40
  • Related: https://github.com/jeremylong/DependencyCheck/issues/2683 and https://github.com/jeremylong/DependencyCheck/issues/997 – Rich Jul 13 '20 at 10:43
  • I have raised https://github.com/jeremylong/DependencyCheck/issues/2711 – Rich Jul 14 '20 at 15:07

0 Answers0