CVE mapping to Java library
Question
There is dependency-check-maven plugin which checks if 3rd party dependencies in my Java project have known vulnerability. The issue is that this plugin has lot of false positives (and quite likely false negatives) due to the fact that CVE does not contain unique identifier of the library. For example recent Spring vulnerability CVE-2018-1275 contains identifier cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0 up to (excluding) 4.3.16 which is quite hard to map to exact Maven dependency. See this article for more details.
Is there is some openly accessible mapping between CVEs and Maven dependencies that would allow more reliable check?
2 answers
solution1
2 ACCPTED 2018-07-15 10:38:47
There are 2 other options I know of. In alphabetical order:
solution2
0 2022-09-18 14:51:54
There is now another option which is open source vulnerabilities(osv) and the dataset that backs this including many vulnerabilities including Maven and the exact matches are available publicly . This eliminates the need to translate via cpe's instead the CVE is just linked directly to the maven package using format of Maven.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.