gitsafehub
github.com/ityouknow/spring-boot-examples ↗

ityouknow/spring-boot-examples

scanned 2026-05-28 · git 53c8c8d
1 of 6 checks flagged a security issue
🔴 Needs attention
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies985Known OSS vulnerabilitiesRisky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 985 found · 237 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2017-5929 logback: Serialization vulnerability in SocketServer and ServerSocketReceiver
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2017-5929). Fix: Update that package to its patched version.
  • Serious CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2017-15095). Fix: Update that package to its patched version.
  • Serious CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2017-17485). Fix: Update that package to its patched version.
  • Serious CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2018-11307). Fix: Update that package to its patched version.
  • Serious CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2018-14718). Fix: Update that package to its patched version.
  • Serious CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2018-14719). Fix: Update that package to its patched version.
  • Serious CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2018-14720). Fix: Update that package to its patched version.
  • Serious CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2018-14721). Fix: Update that package to its patched version.
  • Serious CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2018-19360). Fix: Update that package to its patched version.
  • Serious CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2018-19361). Fix: Update that package to its patched version.
  • Serious CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2018-19362). Fix: Update that package to its patched version.
  • Serious CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2018-7489). Fix: Update that package to its patched version.
  • Serious CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2019-14379). Fix: Update that package to its patched version.
  • Serious CVE-2019-14540 jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2019-14540). Fix: Update that package to its patched version.
  • Serious CVE-2019-16335 jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2019-16335). Fix: Update that package to its patched version.
  • Serious CVE-2019-16942 jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.*
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2019-16942). Fix: Update that package to its patched version.
  • Serious CVE-2019-16943 jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2019-16943). Fix: Update that package to its patched version.
  • Serious CVE-2019-17267 jackson-databind: Serialization gadgets in classes of the ehcache package
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2019-17267). Fix: Update that package to its patched version.
  • Serious CVE-2019-17531 jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2019-17531). Fix: Update that package to its patched version.
  • Serious CVE-2019-20330 jackson-databind: lacks certain net.sf.ehcache blocking
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2019-20330). Fix: Update that package to its patched version.
  • Serious CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2020-8840). Fix: Update that package to its patched version.
  • Serious CVE-2020-9547 jackson-databind: Serialization gadgets in ibatis-sqlmap
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2020-9547). Fix: Update that package to its patched version.
  • Serious CVE-2020-9548 jackson-databind: Serialization gadgets in anteros-core
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2020-9548). Fix: Update that package to its patched version.
  • Serious CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2018-8014). Fix: Update that package to its patched version.
  • Serious CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
    1.x/spring-boot-actuator/pom.xml
    A package you depend on has a known security hole (CVE-2020-1938). Fix: Update that package to its patched version.
… 960 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner timed out

Your dependencies cross-checked against the OSV vulnerability database.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OSV-Scanner v1.9.2 · Apache-2.0

error: timeout after 120s

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard timed out

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

error: timeout after 120s

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.