CVE 映射到 Java 库
CVE mapping to Java library
有dependency-check-maven plugin which checks if 3rd party dependencies in my Java project have known vulnerability. The issue is that this plugin has lot of false positives (and quite likely false negatives) due to the fact that CVE does not contain unique identifier of the library. For example recent Spring vulnerability CVE-2018-1275 contains identifier cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0 up to (excluding) 4.3.16 which is quite hard to map to exact Maven dependency. See this article了解更多详情。
CVE 和 Maven 依赖项之间是否存在一些可公开访问的映射以允许更可靠的检查?
我知道还有 2 个其他选项。按字母顺序排列:
有dependency-check-maven plugin which checks if 3rd party dependencies in my Java project have known vulnerability. The issue is that this plugin has lot of false positives (and quite likely false negatives) due to the fact that CVE does not contain unique identifier of the library. For example recent Spring vulnerability CVE-2018-1275 contains identifier cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:* versions from (including) 4.3.0 up to (excluding) 4.3.16 which is quite hard to map to exact Maven dependency. See this article了解更多详情。
CVE 和 Maven 依赖项之间是否存在一些可公开访问的映射以允许更可靠的检查?
我知道还有 2 个其他选项。按字母顺序排列: