Dependabot security not working for Spring Boot

[davidvieiratrustly]

The version of Spring Boot is not being detected by dependency graph, for example in https://github.com/spring-projects/spring-petclinic/network/dependencies

Thus, dependabot security is not alerting us to this critical vulnerability GHSA-36p3-wjmg-h94x

For some reason, the regular dependabot works and creates a PR to upgrade to a newer version of the Spring Boot (2.6.7). Maybe related to this PR

[jhutchings1]

@davidvieiratrustly Thanks for letting us know about this. I checked the example repository that you linked to, and confirmed that the pom.xml does not specify versions for the spring-boot projects that you showed, so we don't know what version you're actually using to alert you.

It's worth mentioning that Maven lacks the kind of lock files that are used in many other ecosystems, and this makes security assurance much more difficult because we don't have any point in time snapshot of what the dependencies are that we can analyze. We're working on an enhancement that will allow developers to upload more information about their dependencies during a build. This will give us the ability to better alert on Maven, but also many other JVM ecosystems. Keep an eye on this roadmap issue for more information.

[davidvieiratrustly]

Thank you for the reply!

You can use this command mvn help:effective-pom to generate a pom.xml with all versions and transitive dependencies. You can try on the demo project and check if it's enough to trigger the relevant security alerts.

If you need any assistance on that, please ping me. 🙏

[davidvieiratrustly]

effective-pom-example.txt
This is the generated output for this demo Spring project.

[jhutchings1]

@davidvieiratrustly Totally understand that the Maven CLI can be used to generate that kind of information, but that's a point-in-time when the pom.xml doesn't specify dependencies. Our approach to address this will be with the dependency submission API that I linked above so we can get a point-in-time snapshot of the dependencies the last time that the developer pushed. Stay tuned!