False Positive in spring-boot-starter-data-rest-1.5.16.RELEASE.jar: CVE-2018-1273

[pmehtaupgrade]

Reporting False Positives

• The location of the dependency (Maven GAV, URL to download the dependency, etc.) - dependency-check-maven:3.3.2:check (default-cli)
• The CPE that is believed to be false positive
  • cpe:/a:pivotal_software:spring_boot:1.5.16, org.springframework.boot:spring-boot-starter-data-rest:1.5.16.RELEASE, cpe:/a:pivotal_software:spring_data_rest:1.5.16

False positive on library spring-boot-starter-data-rest-1.5.16.RELEASE.jar - reported as cpe:/a:pivotal_software:spring_boot:1.5.16, org.springframework.boot:spring-boot-starter-data-rest:1.5.16.RELEASE, cpe:/a:pivotal_software:spring_data_rest:1.5.16

CVE(2018-1273) is associated with Spring Data Commons and Spring Data REST and not with spring-boot-starter-data-rest according to https://pivotal.io/security/cve-2018-1273.

Spring Boot 1.5.11 or above should not have impact of CVE-2018-1273
https://securityonline.info/cve-2018-1273-spring-data-commons-remote-code-execution-vulnerability/

[jeremylong]

Thanks for the report - in addition to removing the FP I noticed a problem where some of the sub projects of Spring Framework were not being identified correctly. While what I put in place may create a few additional FP - we can quickly clean those up (I've already fixed several I found).

The patch will be included in the next release (happening this week).

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.