CVE-2022-22965 detected in Spring Boot 3.2.0 #5655
Closed
DarkAtra
started this conversation in
False Detection
Replies: 1 comment 1 reply
-
|
Hello @DarkAtra Your image contains {
"bom-ref": "pkg:maven/org.springframework.boot/spring-boot-starter-web?package-id=4bb281bc258e5bed",
"cpe": "cpe:2.3:a:spring-boot-starter-web:spring-boot-starter-web:*:*:*:*:*:*:*:*",
"group": "org.springframework.boot",
"name": "spring-boot-starter-web",
"properties": [
{
"name": "syft:package:foundBy",
"value": "java-pom-cataloger"
},
{
"name": "syft:package:language",
"value": "java"
},
{
"name": "syft:package:metadataType",
"value": "JavaMetadata"
},
{
"name": "syft:package:type",
"value": "java-archive"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring-boot-starter-web:spring_boot_starter_web:*:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring_boot_starter_web:spring-boot-starter-web:*:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring_boot_starter_web:spring_boot_starter_web:*:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring-boot-starter:spring-boot-starter-web:*:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring-boot-starter:spring_boot_starter_web:*:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring_boot_starter:spring-boot-starter-web:*:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring_boot_starter:spring_boot_starter_web:*:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:springframework:spring-boot-starter-web:*:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:springframework:spring_boot_starter_web:*:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring-boot:spring-boot-starter-web:*:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring-boot:spring_boot_starter_web:*:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring_boot:spring-boot-starter-web:*:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring_boot:spring_boot_starter_web:*:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring:spring-boot-starter-web:*:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spring:spring_boot_starter_web:*:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:boot:spring-boot-starter-web:*:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:boot:spring_boot_starter_web:*:*:*:*:*:*:*:*"
},
{
"name": "syft:location:0:path",
"value": "/META-INF/maven/de.idealo.security/spring-endpoint-exporter/pom.xml"
},
{
"name": "syft:metadata:-:artifactID",
"value": "spring-boot-starter-web"
},
{
"name": "syft:metadata:-:groupID",
"value": "org.springframework.boot"
}
],
"purl": "pkg:maven/org.springframework.boot/spring-boot-starter-web",
"type": "library"
},Thanks is why Trivy reports this CVE. If you don't need this file - you can skip this file. Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Thanks for your reply! It seems like the version is somehow lost in the build process. I'll report this to the paketo team. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
IDs
CVE-2022-22965
Description
Trivy detected the following CVE in Spring Boot 3.2.0:
This seems to be a false positive as the issue was fixed back in Spring Framework 5.3.18+. Spring Boot 3.2.0 is based on Spring Framework 6.1.1 which was never affected.
Reproduction Steps
Version
Checklist
-f jsonthat shows data sources and confirmed that the security advisory in data sources was correctBeta Was this translation helpful? Give feedback.
All reactions