Hello, I got a lot of security issues of karaf 4.0.4 (mostly embedded Tomcat) reported by the Snyk scan service for Aries-rsa dependency (feature/pom.xml). Snyk claims it is fixed with karaf 4.1.1. I understand that this minimum version is mostly to be compatible with older karaf versions api.
So I Wonder do you have a policy when to bump up those versions, especially if the existing ones are with known vulnerabilities? It’s not so much an issue of the delivery, I guess - given that users would have to pick unsafe old karaf versions and can easily deploy into an up-to-date container - if I see that correctly? But it does endorse somewhat know-bad versions. I have here in our ‘fork’ the open Snyk reports (not sure if they all apply to upstream master but they do apply for feature/Pom.xml (karaf 4.0.4): https://github.com/seeburger-ag/aries-rsa/pulls Is it also an option to enable that directly on the asf Repo? Gruss Bernd -- http://bernd.eckenfels.net
