On 06/09/2023 20:04, Francois Marot wrote:
Hello,
I'm in the process of switching from Dependency-check [1] to
Dependency-track [2] to analyse vulnerabilities on my dependencies.
I analyze a classic spring boot webapp depending upon
org.apache.tomcat.embed:tomcat-embed-core. Dependency Check who uses a kind
of fuzzy logic detects (correctly ?) CVEs (such as CVE-2023-28709 or
CVE-2023-41080).
Dependency-track uses exact matching with the artifact identifiers and does
not detect those CVE.
I imagine (not totally sure) that those CVE are also affecting
tomcat-embed-core and not only apache:tomcat, but it seems like they are
not targeting this "by product" of the classic Tomcat.
What is or should be the correct process ? Should the Tomcat team declare
those CVE as also affecting tomcat-embed-core ? Should the CVE people do
the job by themselves ?
The Tomcat project maps CVEs to Tomcat versions. We do not break it down
to the component level. You need to raise this with whichever entity is
mapping the Tomcat CVEs to specific components rather than all
components for that version. It looks like dependency track should be
you first point of call.
Mark
I've just found out that I'm not the only one having those questions:
https://stackoverflow.com/questions/74886946/vulnerablities-for-tomcat-embed-core-in-owasp-dependencytrack
but still looking for advice/guidance.
Best regards
Francois
[1] - https://owasp.org/www-project-dependency-check/
[2] - https://dependencytrack.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
