Home > Enterprise >  CVE-2022-22976 spring boot 2.7.0
CVE-2022-22976 spring boot 2.7.0

Time:06-18

I have spring boot project version 2.7.0. I use the dependency-check and it reports CVE-2022-22976. Do you know how I can solve it? Spring security version is 5.7.1 while spring starter security version is 2.7.0.

CodePudding user response:

It's a false positive that will be automatically suppressed with the upcoming release 7.1.1: https://github.com/jeremylong/DependencyCheck/issues/4563

Currently, the Spring Boot starter for Spring Security is mistaken with Spring Security itself.

Until then you'll need to suppress it manually with something like

<suppress base="true">
   <notes><![CDATA[
   FP per issue #4563
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring-boot-starter-security@.*$</packageUrl>
   <cpe>cpe:/a:vmware:spring_security</cpe>
</suppress>
  • Related