Hi ! Projects are using spring-boot-starter-parent 3.2.0, building native images with grallvm 21. while scanning the resulted working images with grype we got:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY spring-boot-starter-web 2.5.12 java-archive GHSA-36p3-wjmg-h94x Critical
How can we remediate that ? if we build standard images with a dockerfile we don't have this issues. if we just run maven build we have only spring libs at 6.1.1 or spreing boot libs at 3.2.0 which is ok
Any help would be appreciated thank you
Comment From: bclozel
Maybe this is a problem with Grype? Have you tried asking the support team there? Native images do not ship an old version of Spring Boot so this must be a false positive.
Buildpacks usually ship an SBOM as an image label so I'm not sure why Grype assumes Spring Boot 2.5 is present.
Can you ask the Grype support why this is the case and report back here? We will reopen this issue or consider a buildpack issue if it turns out the generated image is responsible for this situation.
Thanks!
Comment From: Wouimbly
Yeah, i'll check with grype and graalvm team.
The output with the latest grype is:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libc6 2.35-0ubuntu3.5 deb CVE-2016-20013 Negligible
spring-boot-starter-web 2.5.12 java-archive GHSA-36p3-wjmg-h94x Critical
So still not able to determine what version is currently used and propose à fixed version older thant the one currently use...
Anyway, thanks