Backport fix for CWE-862 to 5.4

[strowk]

Expected Behavior

I would like if minor version 5.4 was available, which does not fail security analysis tools. Currently CWE-862 seems to not be fixed earlier than 5.6, but unfortunately we are unable to migrate to Spring Boot 5.5 at the moment.

These ones seem to be related:
#9931
#9795

Current Behavior

./gradlew dependencyCheckAnalyze fails with following error:

spring-security-core-5.4.9.jar (pkg:maven/org.springframework.security/spring-security-core@5.4.9, cpe:2.3:a:pivotal_sof
tware:spring_security:5.4.9:*:*:*:*:*:*:*) : CWE-862: Missing Authorization

Context

We are not able to build our project anymore because of this security problem.

[strowk]

Any hope at looking in this soon?

[eleftherias]

@strowk Are you are using this dependency for your analysis? https://github.com/jeremylong/DependencyCheck
If so, there may be some false positives of CWE-862 reported for Spring Security, for example jeremylong/DependencyCheck#4099

At the moment it's not clear to me why the tool would report this problem.
If you have any additional insight feel free to share it.

Note that Spring Security does have a 5.4.10 release available.
This is the last planned release for the 5.4.x branch according to our support policy.

Do you get the same warning if you upgrade to 5.4.10?

[aikebah]

@strowk Are you are using this dependency for your analysis? https://github.com/jeremylong/DependencyCheck If so, there may be some false positives of CWE-862 reported for Spring Security, for example jeremylong/DependencyCheck#4099

At the moment it's not clear to me why the tool would report this problem. If you have any additional insight feel free to share it.

As to the why: that's because Sonatype's OSSINDEX reports it for the maven coordinates of the library (https://ossindex.sonatype.org/vulnerability/b2d59cf3-c3d9-4d25-af38-59224eb99ce1?component-type=maven&component-name=org.springframework.security.spring-security-core&utm_source=dependency-check&utm_medium=integration&utm_content=6.5.3)

[ipaulbogdan]

@eleftherias
Same warning for 5.5.4

[lkratochvil]

Hi. Is it possible to backport fix for 5.2.x ? We are using 5.2.15.RELEASE and this issue is also reported by:
https://ossindex.sonatype.org/vulnerability/b2d59cf3-c3d9-4d25-af38-59224eb99ce1?component-type=maven&component-name=org.springframework.security.spring-security-core&utm_source=dependency-check&utm_medium=integration&utm_content=6.5.3

[eleftherias]

I believe this vulnerability was created by mistake.
I have reported it to OSSINDEX in this issue OSSIndex/vulns#249

At this time we don't intend to backport gh-9795 because we do not believe it to be a vulnerability.