Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
False negative with spray-json 1.3.4
See original GitHub issueIssue Type:
defect report
Current Behavior:
- Uploaded a CycloneDX BOM for a Scala project which includes spray-json_2.12 version 1.3.4.
- There are a few CVEs in NVD which apply to 1.3.4 and below (eg CVE-2018-18853): https://discuss.lightbend.com/t/spray-json-1-3-5-security-fix-released/2663
- These CVEs do show up in the dependency track vulnerability list
- The BOM shows version 1.3.4 and Dependency Track correctly shows that version for the project in the UI
- However, the vulnerability does not get indicated for that component.
Steps to Reproduce (if defect):
As above.
Expected Behavior:
Expecting the vulnerabilities to be identified for that component
Environment:
- Dependency-Track Version: v3.4.0
- Distribution: Docker
- BOM Format & Version: cyclonedx.org/schema/bom/1.0
- Database Server: PostgreSQL
- Browser: Chrome
I have OSS-index enabled.
Other Details:
BOM:
...
<component type="library">
<group>io.spray</group>
<name>spray-json_2.12</name>
<version>1.3.4</version>
...
Issue Analytics
- State:
- Created 5 years ago
- Comments:8 (4 by maintainers)
Top Results From Across the Web
Use Spray Json to convert 2D sequence of Any into Json
I am trying to understand Spray Json and very new to Scala. I have Seq(Seq("abc", 123, false, null), Seq("def", 45, "1234", 'C')) so...
Read more >spray - Release V ERSION - Read the Docs
spray-json A lightweight, clean and simple JSON implementation in Scala. ... and converts the respective results into HTTP responses.
Read more >diffson - Scaladex
Jsony is a type class describing what operations are required to compute diffs and apply patches to Json-like types. At the moment, diffson...
Read more >CVE - Search Results - MITRE
Application may use the fake JWT claim to do the authorization. ... CVE-2018-18854, Lightbend Spray spray-json through 1.3.4 allows remote attackers to ...
Read more >SDS - LaMaStEx
... Start Map Matching; Display Results of a map-matched trajectory ... is already in databricks): spray-json io.spray:spray-json_2.11:1.3.4 ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I think it’s configured with proper authentication details. I used the same combination (email address + token) that worked fine when testing the REST API
This is why I logged #265, suggesting that a “Test Connection” button would help. Per that issue, I performed additional testing of the OSS Index REST API that shows that the
/api/v3/versionendpoint does respond to authenticated requests (returning HTTP 200 or 401 as appropriate).This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.