False positive on spring-batch - reported as cpe:/a:pivotal_software:spring_framework:3.0.9, cpe:/a:pivotal:spring_framework:3.0.9, org.springframework.batch:spring-batch-core:3.0.9.RELEASE

[domseichter]

I think there are a few false positives reported with maven-dependency-check version: 3.3.1
See #1328 where the same was reported for spring-batch 3.0.8.RELEASE.
The same issues appear now for spring-batch packages in version: 3.0.9

The affected CVEs are: CVE-2018-1271, CVE-2018-1270, CVE-2016-9878, CVE-2018-1272
The affected files are:

Filename: spring-batch-core-3.0.9.RELEASE.jar | Reference: CVE-2018-1270
Filename: spring-batch-infrastructure-3.0.9.RELEASE.jar | Reference: CVE-2018-1270
Filename: spring-batch-core-3.0.9.RELEASE.jar | Reference: CVE-2016-9878
Filename: spring-batch-core-3.0.9.RELEASE.jar | Reference: CVE-2018-1271
Filename: spring-batch-core-3.0.9.RELEASE.jar | Reference: CVE-2018-1272
Filename: spring-batch-infrastructure-3.0.9.RELEASE.jar | Reference: CVE-2016-9878
Filename: spring-batch-infrastructure-3.0.9.RELEASE.jar | Reference: CVE-2018-1271
Filename: spring-batch-infrastructure-3.0.9.RELEASE.jar | Reference: CVE-2018-1272

Maven coordinates

      <dependency>
        <groupId>org.springframework.batch</groupId>
        <artifactId>spring-batch-core</artifactId>
        <version>3.0.9.RELEASE</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.batch</groupId>
        <artifactId>spring-batch-infrastructure</artifactId>
        <version>3.0.9.RELEASE</version>
      </dependency>

[jeremylong]

The updated suppression file to resolve this issue will be included in the next release. Thanks for the FP report!

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.