Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
False Positive due to missing "AND/OR" capabilities defined in the NVD data feed
See original GitHub issueHello community.
-
Dependencies (gradle with mavenCentral):
org.springframework.security:spring-security-config:5.1.4.RELEASEorg.springframework.security:spring-security-web:5.1.4.RELEASEorg.springframework.security:spring-security-core:5.1.4.RELEASE
-
cpe:2.3:a:pivotal_software:spring_security:5.1.4:*:*:*:*:*:*:*NVD link -
CVE-2018-1258NVD link
According with https://pivotal.io/security/cve-2018-1258 this was fixed in the 5.0.6.RELEASE version.
Original dependency check output:
spring-security-web-5.1.4.RELEASE.jar (pkg:maven/org.springframework.security/spring-security-web@5.1.4.RELEASE, cpe:2.3:a:pivotal_s
oftware:spring_security:5.1.4:*:*:*:*:*:*:*) : CVE-2018-1258
spring-security-config-5.1.4.RELEASE.jar (pkg:maven/org.springframework.security/spring-security-config@5.1.4.RELEASE, cpe:2.3:a:piv
otal_software:spring_security:5.1.4:*:*:*:*:*:*:*) : CVE-2018-1258
spring-security-core-5.1.4.RELEASE.jar (pkg:maven/org.springframework.security/spring-security-core@5.1.4.RELEASE, cpe:2.3:a:pivotal
_software:spring_security:5.1.4:*:*:*:*:*:*:*) : CVE-2018-1258
Actual spring frameworks version for this project (gradle output):
+--- org.springframework.boot:spring-boot-starter-web -> 2.1.3.RELEASE
| +--- org.springframework.boot:spring-boot-starter:2.1.3.RELEASE
| | +--- org.springframework.boot:spring-boot:2.1.3.RELEASE
| | | +--- org.springframework:spring-core:5.1.5.RELEASE
| | | | \--- org.springframework:spring-jcl:5.1.5.RELEASE
| | | \--- org.springframework:spring-context:5.1.5.RELEASE
| | | +--- org.springframework:spring-aop:5.1.5.RELEASE
| | | | +--- org.springframework:spring-beans:5.1.5.RELEASE
| | | | | \--- org.springframework:spring-core:5.1.5.RELEASE (*)
| | | | \--- org.springframework:spring-core:5.1.5.RELEASE (*)
| | | +--- org.springframework:spring-beans:5.1.5.RELEASE (*)
| | | +--- org.springframework:spring-core:5.1.5.RELEASE (*)
| | | \--- org.springframework:spring-expression:5.1.5.RELEASE
| | | \--- org.springframework:spring-core:5.1.5.RELEASE (*)
+--- org.springframework.boot:spring-boot-starter-security -> 2.1.3.RELEASE
| +--- org.springframework.boot:spring-boot-starter:2.1.3.RELEASE (*)
| +--- org.springframework:spring-aop:5.1.5.RELEASE (*)
| +--- org.springframework.security:spring-security-config:5.1.4.RELEASE
| | +--- org.springframework.security:spring-security-core:5.1.4.RELEASE
| | | +--- org.springframework:spring-aop:5.1.5.RELEASE (*)
| | | +--- org.springframework:spring-beans:5.1.5.RELEASE (*)
| | | +--- org.springframework:spring-context:5.1.5.RELEASE (*)
| | | +--- org.springframework:spring-core:5.1.5.RELEASE (*)
| | | \--- org.springframework:spring-expression:5.1.5.RELEASE (*)
| | +--- org.springframework:spring-aop:5.1.5.RELEASE (*)
| | +--- org.springframework:spring-beans:5.1.5.RELEASE (*)
| | +--- org.springframework:spring-context:5.1.5.RELEASE (*)
| | \--- org.springframework:spring-core:5.1.5.RELEASE (*)
| \--- org.springframework.security:spring-security-web:5.1.4.RELEASE
| +--- org.springframework.security:spring-security-core:5.1.4.RELEASE (*)
| +--- org.springframework:spring-aop:5.1.5.RELEASE (*)
| +--- org.springframework:spring-beans:5.1.5.RELEASE (*)
| +--- org.springframework:spring-context:5.1.5.RELEASE (*)
| +--- org.springframework:spring-core:5.1.5.RELEASE (*)
| +--- org.springframework:spring-expression:5.1.5.RELEASE (*)
| \--- org.springframework:spring-web:5.1.5.RELEASE (*)
Issue Analytics
- State:
- Created 4 years ago
- Reactions:34
- Comments:14 (4 by maintainers)
Top Results From Across the Web
Data Feeds - NVD
A feed that provides the product/platform applicability statement to CPE URI matching based on the CPEs in the official CPE dictionary. RSS Vulnerability...
Read more >Search Results - CVE
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
Read more >FINDING MULTI-STEP ATTACKS IN COMPUTER ...
ing attack steps into multi-step attacks, and (iii) fitness functions used ... to hypothesize about missing alerts (false negatives) traversing edges of the....
Read more >CZIC-ht393-n5-w753-1980.xml - GovInfo
comprehensive definition and explanation of the lead company or "I ... Lacking special source data, the occurrence the actual drainage area. of submerged ......
Read more >words-333333.txt
... most 414377632 products 414028837 music 410780176 buy 406908328 data 405084642 ... communication 64314952 purpose 64288914 feature 64262881 bed 64256803 ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Was about to raise a false positive report when I came across this. If it’s useful for later; there’s a basic re-producing Spring Boot project here.
Would really be great to get support for the
ANDcapabilities - the false positives from the plugin have really been coming down lately; this is the only one we have left 😃Actually - after taking a second look the issue is that ODC does not utilize the
ANDcapabilities within the NVD. This might take a while to resolve.In the meantime I would suggest creating a suppression rule for the vulnerability.