Philip, I heard back from the Sec team, this IS something that
_should_ be available in the future. Sounds like there is a new CVE
related schema that should help fill in some of the gaps!
- https://cve.mitre.org/community/board/meeting_summaries/21_July_2021.pdf
-
If I have to fix the vulnerability scanner that’s a price probably worth paying
:)
Best,
Philip Whitehouse
> On 29 Sep 2021, at 16:51, Brian Demers wrote:
>
> I think so, the ASF has been creating a lot of tooling to help improve
> CVE reporting process, hopefully the CPE/artifact name can
I think so, the ASF has been creating a lot of tooling to help improve
CVE reporting process, hopefully the CPE/artifact name can be added to
the report. I'll follow up with the ASF Infra team.
NOTE: Even if we can add it, some vulns scanners use fuzzy matching,
which causes false positives.
Is it practical to look at separating the Spring library from the rest
of Shiro?
It seems like we see a fair number of vulnerabilities for the Spring
code which don't affect other modules / usage.
Best regards,
Philip Whitehouse
On 2021-09-16 21:19, Brian Demers wrote:
Description:
Apache