CVE 映射到 Java 库
[英]CVE mapping to Java library
问题描述
There is dependency-check-maven plugin which checks if 3rd party dependencies in my Java project have known vulnerability.
有一个dependency-check-maven插件可以检查我的 Java 项目中的第 3 方依赖项是否存在已知漏洞。 The issue is that this plugin has lot of false positives (and quite likely false negatives) due to the fact that CVE does not contain unique identifier of the library.问题是由于 CVE 不包含库的唯一标识符,因此该插件有很多误报(并且很可能是误报)。 For example recent Spring vulnerability CVE-2018-1275 contains identifier cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0 up to (excluding) 4.3.16 which is quite hard to map to exact Maven dependency.例如最近的 Spring 漏洞CVE-2018-1275包含标识符cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0 up to (excluding) 4.3.16很难让 map 精确到 Maven 依赖。 See this article for more details.有关更多详细信息,请参阅本文。
Is there is some openly accessible mapping between CVEs and Maven dependencies that would allow more reliable check? CVE 和 Maven 依赖项之间是否存在一些可公开访问的映射,可以进行更可靠的检查?
2 个解决方案
解决方案1
2 已采纳 2018-07-15 10:38:47
There are 2 other options I know of. 我知道另外2个选项。 In alphabetical order: 按字母顺序:
解决方案2
0 2022-09-18 14:51:54
There is now another option which is open source vulnerabilities(osv) and the dataset that backs this including many vulnerabilities including Maven and the exact matches are available publicly .现在还有另一种选择,即开源漏洞 (osv)和支持该漏洞的数据集,包括许多漏洞,包括 Maven,并且完全匹配公开可用。 This eliminates the need to translate via cpe's instead the CVE is just linked directly to the maven package using format of Maven.这消除了通过 cpe 进行转换的需要,而是使用 Maven 格式直接链接到 maven package。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.