Recently, the application we are supporting had just undergone Software Composition Analysis (SCA) scanning and there were some Spring libraries what were found to have vulnerabilities.
The problem is, there were vulnerabilities found in certain libraries our application IS NOT using. There was one finding (details below):
This vulnerability is only applicable on systems using the Streaming Text Oriented Messaging Protocol (STOMP)
Introduced through org.springframework:spring-messaging@4.2.6.RELEASE
Fixed in org.springframework:spring-messaging@4.3.16.RELEASE, @5.0.5.RELEASE
There is no direct usage in our app of classes in this library. We tried explaining this to the security team. They replied and said "so why is it there?". Since they have minimal knowledge in spring and its hierarchy of libraries, we need to explain to them that this may just be kind of a package import when you use spring starter.
We don't have a direct maven setting the specifically imports this library (spring-messaging). So I tried to find what specific parent library is this from but could not find any in the spring documentation. Wanted to find out that specific spring import included this library in our application? is it from spring-boot-starter? was it from spring-core? was it from spring-context?
Can anyone help me on this? finding out the parent library could maybe also help us double check if this class is being used in our app unknowingly.
spring-messaging is a common library used by several other Spring libraries.
(Spring integration, Spring for RabbitMQ, Spring JMS, Spring for Apache Kafka, etc.).
As the report says, as long as you are not using STOMP in your application, the problem does not apply (and you should know if you are using STOMP).
You can use mvn dependency:tree to see the hierarchy of dependencies.