Running a Job Step with the OWASP Dependency Scan reveals a Critical CVE in SpringBoot’s Core JAR and GitLab Dependency (Gemnasium) Scan doesn’t capture the same.
I was expecting the Dependency Scan to catch this same recent CVE-2020-5421 since I use SpringBoot CORE version 5.2.8 and according to the nvd.nist.gov site the Core is impacted by this CVE.
OnPrem GitLab Version: 13.3.6-ee
Using Include: - template: Security/Dependency-Scanning.gitlab-ci.yml
and for OWASP using Maven’s OWASP Dependency Scan
In the Gitlab Gemnasium DB project I see the CVE was included recently and in the run of my job I can see the hash of the DB pulled does include this change.
It could be the OWASP scanner is a less specific check and maybe a false positive where the Dependency scan is looking specifically at only the package slug: maven/org.spring.framework/spring-mvc*. Though since my project is a SpringBoot Web Services project I’d assume based on the NIST description of the CVE I’m still impacted by it.
Is the Gemnasium DB configuration too specific here or is it correct to only check the one package it’s checking for?