I am using the below actuator dependency
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
with spring boot 2,
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.5.RELEASE</version>
</parent>
Any comments on the fortify related vulnerabilities, or do we have any justifications for getting a false-positive regarding fortify issue.
I suspect that the issue is being raised by Fortify not because of spring-boot-starter-actuator
itself but its transitive dependency on Jackson which contains a deserialization of untrusted data vulnerability. However, for an application to be vulnerable a non-default, and probably quite unusual, set of circumstances have to be true. You can learn more about those circumstances in this blog post from Jackson's author. Spring Boot's Actuator does not enable polymorphic type handling so, if the Fortify warning is due to Jackson, it is a false positive.
The vulnerability has been fixed in Jackson 2.9.7 by blocking certain classes from polymorphic deserialisation. Spring Boot 2.0.6 and 2.1.0 use Jackson 2.9.7 by default.