I have spring boot project version 2.7.0. I use the dependency-check and it reports CVE-2022-22976. Do you know how I can solve it? Spring security version is 5.7.1 while spring starter security version is 2.7.0.
- 1If you are certain that you are using Spring Security 5.7.1, dependency check is producing a false positive as CVE-2022-22976 does not affect Spring Security 5.7. What are your exact dependencies and what is the output of the dependency check?Andy Wilkinson– Andy Wilkinson2022-06-08 11:06:02 +00:00Commented Jun 8, 2022 at 11:06
- Use Dependency Track instead. Less false positives...Marek Puchalski– Marek Puchalski2022-06-08 11:29:54 +00:00Commented Jun 8, 2022 at 11:29
Add a comment |
1 Answer
It's a false positive that will be automatically suppressed with the upcoming release 7.1.1: https://github.com/jeremylong/DependencyCheck/issues/4563
Currently, the Spring Boot starter for Spring Security is mistaken with Spring Security itself.
Until then you'll need to suppress it manually with something like
<suppress base="true"> <notes><![CDATA[ FP per issue #4563 ]]></notes> <packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring-boot-starter-security@.*$</packageUrl> <cpe>cpe:/a:vmware:spring_security</cpe> </suppress> 