"and all previous versions" for version ranges

5 views
Skip to first unread message

Jim Sellers

unread,
Jan 2, 2015, 9:34:29 AM1/2/15
to dependen...@googlegroups.com
Hello.

I'm using spring 3.2.12.RELEASE and when running the tool it flags it for CVE-2014-1904.

This shows it applies to 3.0.0 to 3.2.7 and "and all previous versions" AND 4.0.0.m1 to 4.0.1 and "and all previous versions".

My guess is that 3.2.12 is being flagged because of the "and all previous versions" for the 4.x stream.

Is this expected behaviour and should just generate a suppression file for this?

Thanks for your time,
Jim

Jeremy Long

unread,
Jan 3, 2015, 7:28:10 AM1/3/15
to Jim Sellers, dependen...@googlegroups.com
Jim,

You are exactly correct with what is happening and yes, this is expected behavior. As the dependency-check team does not maintain a vulnerability database, the tool relies on the NVD, we made the choice to report false positives like this as it is easy for a human to look at this and determine if there is a real issue. The "all previous versions" is always problematic when major version numbers change; for some projects it is a completely different code base (see Axis and Struts) and for others it is not. We have hard coded workarounds for Axis and Struts; but these are currently the only two.

After looking at this we should be able to filter this out with a slightly more complicated matching algorithm. I just opened a ticket, issue #180, for an enhancement request.

Best Regards,

Jeremy


--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages