[FP]: pkg:maven/org.springframework/spring-web@6.1.14

[kajh]

Package URl

pkg:maven/org.springframework/spring-web@6.1.1

CPE

cpe:2.3:a:springsource:spring_framework:6.1.14:::::::*

CVE

CVE-2024-38828

ODC Integration

{"label"=>"Maven Plugin"}

ODC Version

11.1.0

Description

According to https://spring.io/security/cve-2024-38828 this does not affects Spring Framework 6.x.

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.springframework</groupId>
   <artifactId>spring-web</artifactId>
   <version>6.1.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7166
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.springframework/spring-web@.*$</packageUrl>
   <cpe>cpe:/a:springsource:spring_framework</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/11878793349

[aikebah]

The vulnerability is listed with the (OSSINDEX) suffix, indicating that the vulnerability is reported by the OSSINDEX for this specific library version. OSSINDEX is known to perform its own judgement and sometimes has different attribution of affected versions due to their stricter rules on when something is truly fixed.

You'd need to take it up with them if you consider the finding to be invalid. DependencyCheck correctly reports that one of the consulted vulnerability datasources has marked Spring 6 as affected.

[kajh]

Thank you and sorry for not having checked the source of this vulnerability!

[b-heimann-senacor]

Where can one see the source of a CVE? The Sonatype website does not mention that Spring Web 6.1.4 is affected. https://ossindex.sonatype.org/vulnerability/CVE-2024-38808

I've spent 2 hours trying to figure out why this CVE is being reported for Spring Web 6.1.4, but I couldn't find anything.