CVE-2024-22257: executable affected-version evidence for dependency-check
Requested Check
Please review the attached executable affected-version evidence and decide whether the affected-version data, package namespace, or consumer interpretation should be updated or explicitly documented.
Grouped Route
- candidate:
CVE-2024-22257
- route URL:
https://github.com/dependency-check/DependencyCheck
- targets:
dependency-check
- route kinds:
consumer-tool
- priority:
P0
- grouped queue rows:
1
- P0 rows in group:
1
Evidence Summary
- projection-loss versions:
4
- consumer false-negative versions:
0
- source-disagreement versions:
8
- report paths:
external_validation_reports/CVE-2024-22257_external_validation_report.md
Target-Specific Packets
| Target |
Route kind |
Priority |
Reason |
Body |
SHA-256 |
dependency-check |
consumer-tool |
P0 |
consumer interpretation misses witness-vulnerable versions |
external_validation_submissions/CVE-2024-22257__dependency-check.md |
843f572ad05de9c628da955034ee54439f74a17d83a26515b4bae6c54fdebd0a |
Reproduction
make cve-2024-22257
make interval-certificates topology-theorem order-sensitivity version-dags
make install-consumer-tools consumer-tools-all consumer-tools-dependency-check consumer-tools-gradle-cyclonedx
make public-prevalence case-certificates verify-certificates topology-aware validate-artifact
Full Packet Text
The target-specific packet bodies are included below so this grouped issue remains self-contained.
Packet: dependency-check / consumer-tool
CVE-2024-22257: executable affected-version evidence for dependency-check
Requested Check
Please review whether the affected-version data for this vulnerability should be updated, or whether the current exclusion is intentional and should be represented explicitly for downstream consumers.
Reason For Contact
- target:
dependency-check
- route kind:
consumer-tool
- reason: consumer interpretation misses witness-vulnerable versions
- report:
external_validation_reports/CVE-2024-22257_external_validation_report.md
Executable Certificate
- candidate:
CVE-2024-22257
- bitstring:
111110101010
- minimum interval cover:
4
- V-S-V witnesses:
3
- zero-error single intervals:
0
- full-recall false-positive lower bound:
3
- zero-false-positive false-negative lower bound:
3
Projection-Loss Coordinates
org.springframework.security:spring-security-core:2.0.8.RELEASE
- version:
2.0.8.RELEASE
- claim projection decisions:
CVE:namespace_missing;NVD:package_excluded
- excluding sources:
CVE;NVD
- detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product
org.springframework.security:spring-security-core:3.0.0.RELEASE
- version:
3.0.0.RELEASE
- claim projection decisions:
CVE:namespace_missing;NVD:package_excluded
- excluding sources:
CVE;NVD
- detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product
org.springframework.security:spring-security-core:4.2.20.RELEASE
- version:
4.2.20.RELEASE
- claim projection decisions:
CVE:namespace_missing;NVD:package_excluded
- excluding sources:
CVE;NVD
- detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product
org.springframework.security:spring-security-core:5.6.12
- version:
5.6.12
- claim projection decisions:
CVE:namespace_missing;NVD:package_excluded
- excluding sources:
CVE;NVD
- detail: CVE: published version is older than every CVE affected version expression; NVD: no NVD CPE row matched the configured product
Consumer Observations
dependency-check: rows=12, ok=12, false_negatives=8, false_positives=0
- false-negative versions:
2.0.8.RELEASE, 3.0.0.RELEASE, 4.2.20.RELEASE, 5.6.12, 5.7.11, 5.8.10, 6.1.7, 6.2.2
Source Disagreements
- versions with source disagreement:
2.0.8.RELEASE, 3.0.0.RELEASE, 4.2.20.RELEASE, 5.6.12, 5.7.11, 5.8.10, 6.1.7, 6.2.2
Reproduction
make cve-2024-22257
make interval-certificates topology-theorem order-sensitivity version-dags
make consumer-tools public-prevalence case-certificates verify-certificates
Primary Evidence Files
consumer_matrix: out/consumer_tools/latest/consumer_false_negative_matrix.csvdependency_check_consumer_matrix: out/consumer_tools/dependency-check-latest/consumer_false_negative_matrix.csvgradle_cyclonedx_consumer_matrix: out/consumer_tools/gradle-cyclonedx-latest/consumer_false_negative_matrix.csvorder_sensitivity: out/order_sensitivity/order_sensitivity.csvoutcomes: out/witness_runs/CVE-2024-22257/latest/outcomes.csvprojection_decision_matrix: out/metadata_analysis/CVE-2024-22257/projection_decision_matrix.csvprojection_loss_summary: out/metadata_analysis/CVE-2024-22257/projection_loss_summary.csvpublic_prevalence_by_case: out/public_prevalence/latest/public_dependency_prevalence_by_case.csvtheorem: out/theorem/single_interval_impossibility.json
CVE-2024-22257: executable affected-version evidence for dependency-check
Requested Check
Please review the attached executable affected-version evidence and decide whether the affected-version data, package namespace, or consumer interpretation should be updated or explicitly documented.
Grouped Route
CVE-2024-22257https://github.com/dependency-check/DependencyCheckdependency-checkconsumer-toolP011Evidence Summary
408external_validation_reports/CVE-2024-22257_external_validation_report.mdTarget-Specific Packets
dependency-checkconsumer-toolP0external_validation_submissions/CVE-2024-22257__dependency-check.md843f572ad05de9c628da955034ee54439f74a17d83a26515b4bae6c54fdebd0aReproduction
Full Packet Text
The target-specific packet bodies are included below so this grouped issue remains self-contained.
Packet: dependency-check / consumer-tool
CVE-2024-22257: executable affected-version evidence for dependency-check
Requested Check
Please review whether the affected-version data for this vulnerability should be updated, or whether the current exclusion is intentional and should be represented explicitly for downstream consumers.
Reason For Contact
dependency-checkconsumer-toolexternal_validation_reports/CVE-2024-22257_external_validation_report.mdExecutable Certificate
CVE-2024-2225711111010101043033Projection-Loss Coordinates
org.springframework.security:spring-security-core:2.0.8.RELEASE2.0.8.RELEASECVE:namespace_missing;NVD:package_excludedCVE;NVDorg.springframework.security:spring-security-core:3.0.0.RELEASE3.0.0.RELEASECVE:namespace_missing;NVD:package_excludedCVE;NVDorg.springframework.security:spring-security-core:4.2.20.RELEASE4.2.20.RELEASECVE:namespace_missing;NVD:package_excludedCVE;NVDorg.springframework.security:spring-security-core:5.6.125.6.12CVE:namespace_missing;NVD:package_excludedCVE;NVDConsumer Observations
dependency-check: rows=12, ok=12, false_negatives=8, false_positives=02.0.8.RELEASE, 3.0.0.RELEASE, 4.2.20.RELEASE, 5.6.12, 5.7.11, 5.8.10, 6.1.7, 6.2.2Source Disagreements
2.0.8.RELEASE, 3.0.0.RELEASE, 4.2.20.RELEASE, 5.6.12, 5.7.11, 5.8.10, 6.1.7, 6.2.2Reproduction
Primary Evidence Files
consumer_matrix:out/consumer_tools/latest/consumer_false_negative_matrix.csvdependency_check_consumer_matrix:out/consumer_tools/dependency-check-latest/consumer_false_negative_matrix.csvgradle_cyclonedx_consumer_matrix:out/consumer_tools/gradle-cyclonedx-latest/consumer_false_negative_matrix.csvorder_sensitivity:out/order_sensitivity/order_sensitivity.csvoutcomes:out/witness_runs/CVE-2024-22257/latest/outcomes.csvprojection_decision_matrix:out/metadata_analysis/CVE-2024-22257/projection_decision_matrix.csvprojection_loss_summary:out/metadata_analysis/CVE-2024-22257/projection_loss_summary.csvpublic_prevalence_by_case:out/public_prevalence/latest/public_dependency_prevalence_by_case.csvtheorem:out/theorem/single_interval_impossibility.json