[FP]: False positive findings in Dependency Checker for spring-binding

[danshome]

Package URl

pkg:maven/org.springframework.webflow/spring-binding@3.0.1

CPE

cpe:2.3:a:pivotal_software:spring_framework:3.0.1:::::::*

CVE

CVE-2016-9878

ODC Integration

{"label" => "Maven Plugin"}

ODC Version

12.1.3

Description

CVE-2016-9878 is a directory-traversal issue in the Spring Framework’s ResourceServlet (module: spring-webmvc) and affects Framework versions 3.2.0–3.2.17, 4.2.0–4.2.8, and 4.3.0–4.3.4. The flagged artifact is org.springframework.webflow:spring-binding:3.0.1, which is part of Spring Web Flow, not Spring Framework MVC. spring-binding 3.0.1 does not contain or depend on spring-webmvc; its published POM lists only a runtime dependency on org.springframework:spring-context:6.0.23. Moreover, ResourceServlet was deprecated in 3.2/4.x and removed entirely in Spring Framework 5+, so there is no vulnerable code path here. This finding is a cross-product CPE match to “spring_framework,” not a vulnerability in spring-binding.

[github-actions]

Maven Coordinates

<dependency>
   <groupId>org.springframework.webflow</groupId>
   <artifactId>spring-binding</artifactId>
   <version>3.0.1</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7875
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.springframework\.webflow/spring-binding@.*$</packageUrl>
   <cpe>cpe:/a:pivotal_software:spring_framework</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/17076098566

[danshome]

Here is the actual error in the build...

23:05:45 [ERROR] Failed to execute goal org.owasp:dependency-check-maven:12.1.3:check (default) on project cris-internalidp-webapp:
23:05:45 [ERROR]
23:05:45 [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
23:05:45 [ERROR]
23:05:45 [ERROR] idp-war-5.1.5.war: spring-binding-3.0.1.jar (cpe:2.3:a:pivotal_software:spring_framework:3.0.1:::::::*): CVE-2016-9878(7.5)
23:05:45 [ERROR]
23:05:45 [ERROR] See the dependency-check report for more details.

[aikebah]

This project does not attempt to attribute NVD listed vulnerabilities to a more fine-grained level than attribution to the proper CPE (will take no effort to identify the vulnerable jar-component of a framework taken as a single CPE by the NVD).

Spring webflow falls under the spring-framework CPE and as such this false positive will have to be handled by your project.
CPE attribution is proper.