英文:
Track specific usages of Spring libraries in my app
问题
最近,我们支持的应用程序刚刚经历了软件构成分析(SCA)扫描,发现了一些Spring库存在漏洞。
问题是,在我们的应用程序中发现了一些漏洞,但我们并没有使用这些库。有一个发现(详细信息如下):
- 此漏洞仅适用于使用流文本定向消息协议(STOMP)的系统。
- 通过org.springframework:spring-messaging@4.2.6.RELEASE引入。
- 在org.springframework:spring-messaging@4.3.16.RELEASE、@5.0.5.RELEASE中修复。
我们的应用程序中没有直接使用此库中的类。我们试图向安全团队解释这一点。他们回复说:“那为什么会存在?”由于他们对Spring及其库层次结构了解有限,我们需要向他们解释,这可能只是在使用Spring Starter时的一种包导入。
我们没有直接的Maven设置来导入此库(spring-messaging)。因此,我尝试查找这个库具体来自哪个父库,但在Spring文档中找不到任何信息。想要找出在我们的应用程序中是哪个特定的Spring导入包含了这个库?是来自spring-boot-starter吗?是来自spring-core吗?是来自spring-context吗?
有人可以帮助我吗?找出父库可能也有助于我们双重检查是否在我们的应用程序中无意中使用了这个类。
英文:
Recently, the application we are supporting had just undergone Software Composition Analysis (SCA) scanning and there were some Spring libraries what were found to have vulnerabilities.
The problem is, there were vulnerabilities found in certain libraries our application IS NOT using. There was one finding (details below):
This vulnerability is only applicable on systems using the Streaming Text Oriented Messaging Protocol (STOMP)
Introduced through org.springframework:spring-messaging@4.2.6.RELEASE
Fixed in org.springframework:spring-messaging@4.3.16.RELEASE, @5.0.5.RELEASE
There is no direct usage in our app of classes in this library. We tried explaining this to the security team. They replied and said "so why is it there?". Since they have minimal knowledge in spring and its hierarchy of libraries, we need to explain to them that this may just be kind of a package import when you use spring starter.
We don't have a direct maven setting the specifically imports this library (spring-messaging). So I tried to find what specific parent library is this from but could not find any in the spring documentation. Wanted to find out that specific spring import included this library in our application? is it from spring-boot-starter? was it from spring-core? was it from spring-context?
Can anyone help me on this? finding out the parent library could maybe also help us double check if this class is being used in our app unknowingly.
答案1
得分: 0
spring-messaging是由其他几个Spring库共同使用的常用库。
(Spring集成、Spring for RabbitMQ、Spring JMS、Spring for Apache Kafka等)。
正如报告所述,只要您的应用程序不使用STOMP,该问题就不适用(并且您应该知道您是否在使用STOMP)。
您可以使用mvn dependency:tree
来查看依赖关系的层次结构。
英文:
spring-messaging is a common library used by several other Spring libraries.
(Spring integration, Spring for RabbitMQ, Spring JMS, Spring for Apache Kafka, etc.).
As the report says, as long as you are not using STOMP in your application, the problem does not apply (and you should know if you are using STOMP).
You can use mvn dependency:tree
to see the hierarchy of dependencies.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论