Backport fix for CWE-862 to 5.4

[strowk]

Expected Behavior

I would like if minor version 5.4 was available, which does not fail security analysis tools. Currently CWE-862 seems to not be fixed earlier than 5.6, but unfortunately we are unable to migrate to Spring Boot 5.5 at the moment.

These ones seem to be related:
#9931
#9795

Current Behavior

./gradlew dependencyCheckAnalyze fails with following error:

spring-security-core-5.4.9.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal_sof
tware:spring_security:5.4.9:*:*:*:*:*:*:*) : CWE-862: Missing Authorization

Context

We are not able to build our project anymore because of this security problem.

[strowk]

Any hope at looking in this soon?

[eleftherias]

@strowk Are you are using this dependency for your analysis? https://github.com/jeremylong/DependencyCheck
If so, there may be some false positives of CWE-862 reported for Spring Security, for example jeremylong/DependencyCheck#4099

At the moment it's not clear to me why the tool would report this problem.
If you have any additional insight feel free to share it.

Note that Spring Security does have a 5.4.10 release available.
This is the last planned release for the 5.4.x branch according to our support policy.

Do you get the same warning if you upgrade to 5.4.10?

[aikebah]

@strowk Are you are using this dependency for your analysis? https://github.com/jeremylong/DependencyCheck If so, there may be some false positives of CWE-862 reported for Spring Security, for example jeremylong/DependencyCheck#4099

At the moment it's not clear to me why the tool would report this problem. If you have any additional insight feel free to share it.

As to the why: that's because Sonatype's OSSINDEX reports it for the maven coordinates of the library (https://ossindex.sonatype.org/vulnerability/b2d59cf3-c3d9-4d25-af38-59224eb99ce1?component-type=maven&component-name=org.springframework.security.spring-security-core&utm_source=dependency-check&utm_medium=integration&utm_content=6.5.3)

[ipaulbogdan]

@eleftherias
Same warning for 5.5.4

[lkratochvil]

Hi. Is it possible to backport fix for 5.2.x ? We are using 5.2.15.RELEASE and this issue is also reported by:
https://ossindex.sonatype.org/vulnerability/b2d59cf3-c3d9-4d25-af38-59224eb99ce1?component-type=maven&component-name=org.springframework.security.spring-security-core&utm_source=dependency-check&utm_medium=integration&utm_content=6.5.3

[eleftherias]

I believe this vulnerability was created by mistake.
I have reported it to OSSINDEX in this issue OSSIndex/vulns#249

At this time we don't intend to backport gh-9795 because we do not believe it to be a vulnerability.

[strowk]

@eleftherias , yeah, we do use that tool.

Ok, I see that the problem is in the wrong security analysis.

FYI if you wanna suppress this and are using same tool, following suppression is autogenerated from report page (but works only if you have at least xsd 1.3 in xmlns of your suppressions.xml) :

    <suppress>
        <notes><![CDATA[
   file name: spring-security-core-5.4.9.jar
   ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-core@.*$</packageUrl>
        <vulnerabilityName>CWE-862: Missing Authorization</vulnerabilityName>
    </suppress>

Not sure if this is best thing, but probably better than being stuck on this.

I don't see necessity in this ticket, since no work appears to be planned