Dependabot security not working for Spring Boot #15396
-
The version of Spring Boot is not being detected by dependency graph, for example in https://github.com/spring-projects/spring-petclinic/network/dependencies Thus, dependabot security is not alerting us to this critical vulnerability GHSA-36p3-wjmg-h94x For some reason, the regular dependabot works and creates a PR to upgrade to a newer version of the Spring Boot (2.6.7). Maybe related to this PR |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
@davidvieiratrustly Thanks for letting us know about this. I checked the example repository that you linked to, and confirmed that the It's worth mentioning that Maven lacks the kind of lock files that are used in many other ecosystems, and this makes security assurance much more difficult because we don't have any point in time snapshot of what the dependencies are that we can analyze. We're working on an enhancement that will allow developers to upload more information about their dependencies during a build. This will give us the ability to better alert on Maven, but also many other JVM ecosystems. Keep an eye on this roadmap issue for more information. |
Beta Was this translation helpful? Give feedback.
@davidvieiratrustly Thanks for letting us know about this. I checked the example repository that you linked to, and confirmed that the
pom.xml
does not specify versions for the spring-boot projects that you showed, so we don't know what version you're actually using to alert you.It's worth mentioning that Maven lacks the kind of lock files that are used in many other ecosystems, and this makes security assurance much more difficult because we don't have any point in time snapshot of what the dependencies are that we can analyze. We're working on an enhancement that will allow developers to upload more information about their dependencies during a build. This will give us the ability to b…