Expected Behavior
I would like if minor version 5.4 was available, which does not fail security analysis tools. Currently CWE-862 seems to not be fixed earlier than 5.6, but unfortunately we are unable to migrate to Spring Boot 5.5 at the moment.
These ones seem to be related: https://github.com/spring-projects/spring-security/pull/9931 https://github.com/spring-projects/spring-security/issues/9795
Current Behavior
./gradlew dependencyCheckAnalyze fails with following error:
spring-security-core-5.4.9.jar (pkg:maven/org.springframework.security/spring-security-core@5.4.9, cpe:2.3:a:pivotal_sof
tware:spring_security:5.4.9:*:*:*:*:*:*:*) : CWE-862: Missing Authorization
Context
We are not able to build our project anymore because of this security problem.
Comment From: strowk
Any hope at looking in this soon?
Comment From: eleftherias
@strowk Are you are using this dependency for your analysis? https://github.com/jeremylong/DependencyCheck If so, there may be some false positives of CWE-862 reported for Spring Security, for example https://github.com/jeremylong/DependencyCheck/issues/4099
At the moment it's not clear to me why the tool would report this problem. If you have any additional insight feel free to share it.
Note that Spring Security does have a 5.4.10 release available.
This is the last planned release for the 5.4.x branch according to our support policy.
Do you get the same warning if you upgrade to 5.4.10?
Comment From: aikebah
@strowk Are you are using this dependency for your analysis? https://github.com/jeremylong/DependencyCheck If so, there may be some false positives of CWE-862 reported for Spring Security, for example jeremylong/DependencyCheck#4099
At the moment it's not clear to me why the tool would report this problem. If you have any additional insight feel free to share it.
As to the why: that's because Sonatype's OSSINDEX reports it for the maven coordinates of the library (https://ossindex.sonatype.org/vulnerability/b2d59cf3-c3d9-4d25-af38-59224eb99ce1?component-type=maven&component-name=org.springframework.security.spring-security-core&utm_source=dependency-check&utm_medium=integration&utm_content=6.5.3)
Comment From: ipaulbogdan
@eleftherias Same warning for 5.5.4
Comment From: lkratochvil
Hi. Is it possible to backport fix for 5.2.x ? We are using 5.2.15.RELEASE and this issue is also reported by: https://ossindex.sonatype.org/vulnerability/b2d59cf3-c3d9-4d25-af38-59224eb99ce1?component-type=maven&component-name=org.springframework.security.spring-security-core&utm_source=dependency-check&utm_medium=integration&utm_content=6.5.3
Comment From: eleftherias
I believe this vulnerability was created by mistake. I have reported it to OSSINDEX in this issue https://github.com/OSSIndex/vulns/issues/249
At this time we don't intend to backport gh-9795 because we do not believe it to be a vulnerability.
Comment From: strowk
@eleftherias , yeah, we do use that tool.
Ok, I see that the problem is in the wrong security analysis.
FYI if you wanna suppress this and are using same tool, following suppression is autogenerated from report page (but works only if you have at least xsd 1.3 in xmlns of your suppressions.xml) :
<suppress>
<notes><![CDATA[
file name: spring-security-core-5.4.9.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-core@.*$</packageUrl>
<vulnerabilityName>CWE-862: Missing Authorization</vulnerabilityName>
</suppress>
Not sure if this is best thing, but probably better than being stuck on this.
I don't see necessity in this ticket, since no work appears to be planned