I think so, the ASF has been creating a lot of tooling to help improve CVE reporting process, hopefully the CPE/artifact name can be added to the report. I'll follow up with the ASF Infra team.
NOTE: Even if we can add it, some vulns scanners use fuzzy matching, which causes false positives. (mainly because the Maven artifact coordinates are not listed in CVEs) On Wed, Sep 29, 2021 at 6:02 AM philip <phi...@whiuk.com> wrote: > > Is it practical to look at separating the Spring library from the rest > of Shiro? > It seems like we see a fair number of vulnerabilities for the Spring > code which don't affect other modules / usage. > > Best regards, > > Philip Whitehouse > > On 2021-09-16 21:19, Brian Demers wrote: > > Description: > > > > Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a > > specially crafted HTTP request may cause an authentication bypass. > > > > Users should update to Apache Shiro 1.8.0. > > > > Credit: > > > > Apache Shiro would like to thank tsug0d for reporting this issue.
