Possible False Positives, False Negatives and Duplicates of Gitlab Security Scanning

DevSecOps
1

Some possible false positives, false negatives and duplicates were noticed during Gitlab Security Scans

Problem to solve

We have noticed some possible false positives, false negatives and duplicates during Gitlab Security Scans

False Positives

  1. CVE-2024-38827 for org.springframework/spring-beans:6.1.11 - This vulnerability exists only in Spring Security Package
  2. CVE-2024-38827 for org.springframework/spring-core:6.1.11 - This vulnerability exists only in Spring Security Package
  3. CVE-2024-38827 for org.springframework/spring-jdbc:6.1.11 - This vulnerability exists only in Spring Security Package
  4. CVE-2024-38827 for org.springframework/spring-context:5.3.37 - This vulnerability exists only in Spring Security Package
  5. CVE-2024-28752 for org.apache.cxf:cxf-core:4.0.3 - The fix commit for this vulnerability exists in org.apache.cxf:cxf-rt-databinding-aegis
  6. CVE-2023-46749 for org.apache.shiro:shiro-core@1.12.0 - The fix commit for this vulnerability exists in shiro-web component

False Negatives

  1. CVE-2024-38820 of org.springframework:spring-core@6.1.11
  2. CVE-2021-33813 of org.jdom:jdom@1.1

Duplicates

  1. CVE-2024-29857 detected for org.bouncycastle/bcpkix-jdk18on:1.77 - CVE-2024-29857 is a vulnerability from org.bouncycastle/bcprov-jdk18on:1.77 which is a dependency of org.bouncycastle/bcpkix-jdk18on:1.77, not itself from org.bouncycastle/bcpkix-jdk18on:1.77
  2. CVE-2024-30172 detected for org.bouncycastle/bcpkix-jdk18on:1.77 - CVE-2024-30172 is a vulnerability from org.bouncycastle/bcprov-jdk18on:1.77 which is a dependency of org.bouncycastle/bcpkix-jdk18on:1.77, not itself from org.bouncycastle/bcpkix-jdk18on:1.77
  3. CVE-2024-30171 detected for org.bouncycastle/bcpkix-jdk18on:1.77 - CVE-2024-30171 is a vulnerability from org.bouncycastle/bcprov-jdk18on:1.77 which is a dependency of org.bouncycastle/bcpkix-jdk18on:1.77, not itself from org.bouncycastle/bcpkix-jdk18on:1.77
  4. CVE-2024-12798 detected for ch.qos.logback:logback-classic@1.5.6 - CVE-2024-12798 is a vulnerability from ch.qos.logback/logback-core:1.5.6 which is a dependency of ch.qos.logback:logback-classic@1.5.6, not itself from ch.qos.logback:logback-classic@1.5.6

Steps to reproduce

Scan a project with these libraries and verify the detection/non detection of these vulnerabilities.

We would like to have a clarification on these findings

1 Like