Hi, nvd.nist.gov seems to be reporting Spring4Shell vulnerability incorrectly. When we use the dependency-check-maven Maven plugin (https://jeremylong.github.io/DependencyCheck/dependency-check-maven/check-mojo.html), which references the nvd.nist.gov database, we get the message
One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '9.0':
spring-boot-2.6.7.jar: CVE-2022-22965
All the online docs I can find state this defect was fixed in spring-boot version 2.6.6, so you might want to investigate why they are reporting this issue.
Comment From: mhalbritter
Can't reproduce this. A 2.6.7 Spring Boot with web starter doesn't contain any reported CVE:
I used
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>7.1.0</version>
<configuration>
<failBuildOnCVSS>8</failBuildOnCVSS>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
and ran mvn org.owasp:dependency-check-maven:check
Comment From: dhrapson
Thanks for the assistance.
FYI it looks like a defect with v6.1.x of the dependency-check plugin, as reported by others also: https://github.com/jeremylong/DependencyCheck/issues/4409
v7.x plugin versions do not have this issue, nor is it a Spring (or NIST) issue.