Giters

spring-guides / tut-spring-boot-oauth2

Spring Boot and OAuth2:: A tutorial on "social" login and single sign on with Facebook and Github

Home Page:https://spring.io/guides/tutorials/spring-boot-oauth2/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

owasp vunerabilities are raised in module two-providers

damiendsl opened this issue · comments

commented

When adding
<plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>6.0.3</version> <configuration> <failBuildOnCVSS>8</failBuildOnCVSS> <skip>false</skip> </configuration> <executions> <execution> <phase>validate</phase> <goals> <goal>check</goal> </goals> </execution> </executions> </plugin>

in module two-providers , some validation errors are raised ( on a mvn clean install ) :

[ERROR] nimbus-jose-jwt-7.8.jar: CVE-2019-17195
[ERROR] spring-security-core-5.2.1.RELEASE.jar: CVE-2018-1258, CVE-2020-5407
[ERROR] spring-security-oauth2-core-5.2.1.RELEASE.jar: CVE-2018-1258, CVE-2020-5407
[ERROR] tomcat-embed-core-9.0.29.jar: CVE-2020-1938
[ERROR] tomcat-embed-websocket-9.0.29.jar: CVE-2020-1938, CVE-2020-8022

I have no idea how to fix the CVE-2018-1258 more particularly