I have spring boot project version 2.7.0. I use the dependency-check and it reports CVE-2022-22976. Do you know how I can solve it? Spring security version is 5.7.1 while spring starter security version is 2.7.0.
Asked
Active
Viewed 1,211 times
0
-
1If you are certain that you are using Spring Security 5.7.1, dependency check is producing a false positive as CVE-2022-22976 does not affect Spring Security 5.7. What are your exact dependencies and what is the output of the dependency check? – Andy Wilkinson Jun 08 '22 at 11:06
-
Use Dependency Track instead. Less false positives... – Marek Puchalski Jun 08 '22 at 11:29
1 Answers
1
It's a false positive that will be automatically suppressed with the upcoming release 7.1.1: https://github.com/jeremylong/DependencyCheck/issues/4563
Currently, the Spring Boot starter for Spring Security is mistaken with Spring Security itself.
Until then you'll need to suppress it manually with something like
<suppress base="true">
<notes><![CDATA[
FP per issue #4563
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring-boot-starter-security@.*$</packageUrl>
<cpe>cpe:/a:vmware:spring_security</cpe>
</suppress>
Henning
- 3,055
- 6
- 30