I have spring boot project version 2.7.0. I use the dependency-check and it reports CVE-2022-22976. Do you know how I can solve it? Spring security version is 5.7.1 while spring starter security version is 2.7.0.
CodePudding user response:
It's a false positive that will be automatically suppressed with the upcoming release 7.1.1: https://github.com/jeremylong/DependencyCheck/issues/4563
Currently, the Spring Boot starter for Spring Security is mistaken with Spring Security itself.
Until then you'll need to suppress it manually with something like
<suppress base="true">
<notes><![CDATA[
FP per issue #4563
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring-boot-starter-security@.*$</packageUrl>
<cpe>cpe:/a:vmware:spring_security</cpe>
</suppress>