OWASP Scan still shows Vulnerability when spring-2.0.5 update to 2.0.6 and myBatis-3.5.5 to 3.5.6 #2118
Comments
|
Please see #2079 . |
|
Hi harawata, |
|
I have no idea. |
|
Owasp just is showing CVE data so if anything CVE data is incorrectly input or simply not handled well by that tool. Looking at the CVE, it denotes that 3.5.6 does not contain the issue. So the fact that it shows kind of leans towards that tool not handling well. You can report the issue to dependency-check and reference the CVE data and the fact that synk seems to show it correct here |
|
fixed in dependency check 6.0.4 release. |
Hi,
Don't know if this is the correct channel to ask about the recent vulnerability with mybatis-3.5.5, hope that someone can direct me to the correct place.
Recently we did a OWASP scan on the libs that my project is using and a vulnerability was flaked for mybatis-spring-2.0.5.jar on CVE-2020-26945 to use mybatis-3.5.6.
Therefore, I have replaced the current 3.5.5. to 3.5.6 and did a OWASP scan again but this was being flaked out again.
So, we suspect that maybe it was referencing the POM.xml in mybatis-spring-2.0.5 which still points to 3.5.5 thus the issue.
I have updated mybatis-spring-2.0.5 to 2.0.6 with mybatis-3.5.6 and did a scan again.
The vulnerability is still being flaked out.
Any reason why it is so? We have reported that it is a false positive when we upgrade mybatis-3.5.5 to 3.5.6 but the security just doesn’t want to accept it. Need expert advice on this. Thank you so much.
The text was updated successfully, but these errors were encountered: