Philip, I heard back from the Sec team, this IS something that _should_ be available in the future. Sounds like there is a new CVE related schema that should help fill in some of the gaps!
- https://cve.mitre.org/community/board/meeting_summaries/21_July_2021.pdf - https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/CVE_JSON_5.0.schema Thanks for reaching out! On Wed, Sep 29, 2021 at 1:40 PM Philip Whitehouse <phi...@whiuk.com> wrote: > > If I have to fix the vulnerability scanner that’s a price probably worth > paying :) > > Best, > > Philip Whitehouse > > > On 29 Sep 2021, at 16:51, Brian Demers <brian.dem...@gmail.com> wrote: > > > > I think so, the ASF has been creating a lot of tooling to help improve > > CVE reporting process, hopefully the CPE/artifact name can be added to > > the report. I'll follow up with the ASF Infra team. > > > > NOTE: Even if we can add it, some vulns scanners use fuzzy matching, > > which causes false positives. (mainly because the Maven artifact > > coordinates are not listed in CVEs) > > > >> On Wed, Sep 29, 2021 at 6:02 AM philip <phi...@whiuk.com> wrote: > >> > >> Is it practical to look at separating the Spring library from the rest > >> of Shiro? > >> It seems like we see a fair number of vulnerabilities for the Spring > >> code which don't affect other modules / usage. > >> > >> Best regards, > >> > >> Philip Whitehouse > >> > >>> On 2021-09-16 21:19, Brian Demers wrote: > >>> Description: > >>> > >>> Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a > >>> specially crafted HTTP request may cause an authentication bypass. > >>> > >>> Users should update to Apache Shiro 1.8.0. > >>> > >>> Credit: > >>> > >>> Apache Shiro would like to thank tsug0d for reporting this issue. >
