gitsafehub
github.com/seaswalker/spring-analysis ↗

seaswalker/spring-analysis

scanned 2026-06-30 · git 4379cce
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies38Known OSS vulnerabilities54Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 30s

Vulnerable dependencies — Trivy 38 found · 2 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2016-1000027 spring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserialization
    pom.xml
    A package you depend on has a known security hole (CVE-2016-1000027). Fix: Update that package to its patched version.
  • Serious CVE-2022-22965 spring-framework: RCE via Data Binding on JDK 9+
    pom.xml
    A package you depend on has a known security hole (CVE-2022-22965). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)
    pom.xml
    A package you depend on has a known security hole (CVE-2020-25649). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
    pom.xml
    A package you depend on has a known security hole (CVE-2020-36518). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode
    pom.xml
    A package you depend on has a known security hole (CVE-2021-46877). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
    pom.xml
    A package you depend on has a known security hole (CVE-2022-42003). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-42004 jackson-databind: use of deeply nested arrays
    pom.xml
    A package you depend on has a known security hole (CVE-2022-42004). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54512 jackson-databind contains the general-purpose data-binding functionali ...
    pom.xml
    A package you depend on has a known security hole (CVE-2026-54512). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54513 jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution
    pom.xml
    A package you depend on has a known security hole (CVE-2026-54513). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-50193 jackson-databind contains the general-purpose data-binding functionali ...
    pom.xml
    A package you depend on has a known security hole (CVE-2026-50193). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54514 jackson-databind contains the general-purpose data-binding functionali ...
    pom.xml
    A package you depend on has a known security hole (CVE-2026-54514). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54515 jackson-databind contains the general-purpose data-binding functionali ...
    pom.xml
    A package you depend on has a known security hole (CVE-2026-54515). Fix: Update that package to its patched version.
  • Worth fixing CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service
    pom.xml
    A package you depend on has a known security hole (CVE-2018-10237). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-2976 guava: insecure temporary directory creation
    pom.xml
    A package you depend on has a known security hole (CVE-2023-2976). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-15250 junit4: TemporaryFolder is shared between all users across system which could result in information disclosure
    pom.xml
    A package you depend on has a known security hole (CVE-2020-15250). Fix: Update that package to its patched version.
  • Worth fixing CVE-2017-3523 mysql-connector-java: Improper automatic deserialization of binary data (CPU Apr 2017)
    pom.xml
    A package you depend on has a known security hole (CVE-2017-3523). Fix: Update that package to its patched version.
  • Worth fixing CVE-2018-3258 mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018)
    pom.xml
    A package you depend on has a known security hole (CVE-2018-3258). Fix: Update that package to its patched version.
  • Worth fixing CVE-2015-2575 mysql-connector-java: unspecified vulnerability related to Connector/J (CPU April 2015)
    pom.xml
    A package you depend on has a known security hole (CVE-2015-2575). Fix: Update that package to its patched version.
  • Worth fixing CVE-2017-3586 mysql-connector-java: Connector/J unspecified vulnerability (CPU Apr 2017)
    pom.xml
    A package you depend on has a known security hole (CVE-2017-3586). Fix: Update that package to its patched version.
  • Worth fixing CVE-2019-2692 mysql-connector-java: privilege escalation in MySQL connector
    pom.xml
    A package you depend on has a known security hole (CVE-2019-2692). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors
    pom.xml
    A package you depend on has a known security hole (CVE-2022-21363). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messages
    pom.xml
    A package you depend on has a known security hole (CVE-2020-10693). Fix: Update that package to its patched version.
  • Worth fixing CVE-2023-1932 hibernate-validator: rendering of invalid html with SafeHTML leads to HTML injection and XSS
    pom.xml
    A package you depend on has a known security hole (CVE-2023-1932). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-35036 hibernate-validator: Hibernate Validator Expression Language Injection
    pom.xml
    A package you depend on has a known security hole (CVE-2025-35036). Fix: Update that package to its patched version.
  • Worth fixing CVE-2022-22968 Framework: Data Binding Rules Vulnerability
    pom.xml
    A package you depend on has a known security hole (CVE-2022-22968). Fix: Update that package to its patched version.
… 13 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 54 found · 4 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-c27h-mcmw-48hv Deserialization of Untrusted Data in org.codehaus.jackson:jackson-mapper-asl
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2019-10202). Fix: Update that package to its patched version.
  • Serious GHSA-4wrc-f8pq-fpqp Pivotal Spring Framework contains unsafe Java deserialization methods
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2016-1000027). Fix: Update that package to its patched version.
  • Serious GHSA-36p3-wjmg-h94x Remote Code Execution in Spring Framework
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2022-22965). Fix: Update that package to its patched version.
  • Serious GHSA-36p3-wjmg-h94x Remote Code Execution in Spring Framework
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2022-22965). Fix: Update that package to its patched version.
  • Worth fixing GHSA-288c-cq4h-88gq XML External Entity (XXE) Injection in Jackson Databind
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2020-25649). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3wrr-7qpf-2prh jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2026-50193). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3x8x-79m2-3w2w jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2021-46877). Fix: Update that package to its patched version.
  • Worth fixing GHSA-57j2-w4cx-62h2 Deeply nested json in jackson-databind
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2020-36518). Fix: Update that package to its patched version.
  • Worth fixing GHSA-5jmj-h7xm-6q6v jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2026-54515). Fix: Update that package to its patched version.
  • Worth fixing GHSA-hgj6-7826-r7m5 jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2026-54514). Fix: Update that package to its patched version.
  • Worth fixing GHSA-j3rv-43j4-c7qm jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2026-54512). Fix: Update that package to its patched version.
  • Worth fixing GHSA-jjjh-jjxp-wpff Uncontrolled Resource Consumption in Jackson-databind
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2022-42003). Fix: Update that package to its patched version.
  • Worth fixing GHSA-rgv9-q543-rqg4 Uncontrolled Resource Consumption in FasterXML jackson-databind
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2022-42004). Fix: Update that package to its patched version.
  • Worth fixing GHSA-rmj7-2vxq-3g9f jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2026-54513). Fix: Update that package to its patched version.
  • Worth fixing GHSA-7g45-4rm6-3mm3 Guava vulnerable to insecure use of temporary directory
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2023-2976). Fix: Update that package to its patched version.
  • Worth fixing GHSA-mvr2-9pj6-7w5j Denial of Service in Google Guava
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2018-10237). Fix: Update that package to its patched version.
  • Worth fixing GHSA-269g-pwp5-87pp TemporaryFolder on unix-like systems does not limit access to created files
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2020-15250). Fix: Update that package to its patched version.
  • Worth fixing GHSA-2xxh-f8r3-hvvr Improper Access Control in MySQL Connectors Java
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2017-3523). Fix: Update that package to its patched version.
  • Worth fixing GHSA-4vrv-ch96-6h42 Improper Privilege Management in MySQL Connectors Java
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2018-3258). Fix: Update that package to its patched version.
  • Worth fixing GHSA-g76j-4cxx-23h9 Improper Handling of Insufficient Permissions or Privileges in MySQL Connectors Java
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2022-21363). Fix: Update that package to its patched version.
  • Worth fixing GHSA-jcq3-cprp-m333 Privilege escalation in mysql-connector-jav
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2019-2692). Fix: Update that package to its patched version.
  • Worth fixing GHSA-m6vm-37g8-gqvh MySQL Connectors takeover vulnerability
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2023-22102). Fix: Update that package to its patched version.
  • Worth fixing GHSA-pwh7-92h3-mqr6 Exposure of Sensitive Information to an Unauthorized Actor in Oracle MySQL Connectors Java
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2017-3586). Fix: Update that package to its patched version.
  • Worth fixing GHSA-r6j9-8759-g62w Improper Restriction of XML External Entity Reference in jackson-mapper-asl
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2019-10172). Fix: Update that package to its patched version.
  • Worth fixing GHSA-7v6m-28jr-rg84 Hibernate Validator may interpolate user-supplied input in a constraint violation message with Expression Language
    /workdirs/scan-84a211f8-bc32-4370-99e6-1ba7b8f36d10/pom.xml
    A package you depend on has a known security hole (CVE-2025-35036). Fix: Update that package to its patched version.
… 29 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.