u/BrotherGlad4572

Building SCA pipeline for Spring Boot — SBOM vs JAR scanning, what's the right approach?

Hey everyone,

I'm building a CI SCA pipeline for a Spring Boot application using Dependency-Check, Trivy, and OSV Scanner.

I've been going back and forth between two approaches:

  1. Generate a CycloneDX SBOM from Maven and feed it into all the tools
  2. Resolve dependencies into a local Maven cache and point the tools directly at the JARs or POM files

From my testing, scanning the Maven cache directly produces a huge amount of noise — false positives coming from other libraries' POM files declaring their own dependency versions, which Maven never actually uses at runtime.

The SBOM approach gives much cleaner results since it only contains the versions Maven actually resolved.

Is SBOM the industry standard for this kind of pipeline? Are there any downsides I'm missing?

reddit.com
u/BrotherGlad4572 — 7 days ago

Building SCA pipeline for Spring Boot — SBOM vs JAR (Maven cache), what's the right approach?

Hey everyone,

I'm building a CI SCA pipeline for a Spring Boot application using Dependency-Check, Trivy, and OSV Scanner.

I've been going back and forth between two approaches:

  1. Generate a CycloneDX SBOM from Maven and feed it into all the tools
  2. Resolve dependencies into a local Maven cache and point the tools directly at the JARs or POM files

From my testing, scanning the Maven cache directly produces a huge amount of noise — false positives coming from other libraries' POM files declaring their own dependency versions, which Maven never actually uses at runtime.

The SBOM approach gives much cleaner results since it only contains the versions Maven actually resolved.

Is SBOM the industry standard for this kind of pipeline? Are there any downsides I'm missing?

reddit.com
u/BrotherGlad4572 — 7 days ago

Dependency-Check flagging Spring Security 7.1.0 as vulnerable and false positives issues?

Hey everyone,

I'm running OWASP Dependency-Check 12.2.2 against my Spring Boot 4.1.0 project and it's flagging spring-security-core 7.1.0 as HIGH severity.

The CPE it's matching is cpe:2.3:a:pivotal_software:spring_security:7.1.0 — which looks like the old Pivotal naming. Spring Security is now maintained by Broadcom/Spring, so I'm not sure if this CVE actually applies to the current 7.1.0 release.

7.1.0 is the latest stable version available on Maven Central right now, so there's no newer version to upgrade to.

I can confirm via mvn dependency:tree that we are actually running 7.1.0 and that this is the latest stable release available on Maven Central. There is no newer version to upgrade to, yet Dependency-Check still flags it as vulnerability.

By the way , Not just Depedency-Check , OSV-scanner produce a lot of transitive vulnerabilities that I can't really find them direcly in my pom.xml file .
before scanning i'm using either mvn depedency:resolve or mvn dependency:copy-dependencies
both produce a lot of vulnerabilities .

Tried SBOM instead , I think it's much better , it gives only what's in the pom.xml
but I'm not sure SBOM can track transitive dependencies as well ?

Btw i'm building CI pipeline for SCA , for sbom is good , it's working .
for maven cache can't patch all of those CVEs.

Has anyone else seen this? Is this a known false positive with the CPE matching, or is there an actual vulnerability in 7.1.0 that I'm missing?

ANY IDEAS ???

reddit.com
u/BrotherGlad4572 — 7 days ago