Hi Bernd, I don't think we have a defined procedure for such upgrades. Feel free to create jira issues and provide PRs. I currently do not actively work on aries-rsa but I can help by applying the PRs.
We have dependabot at apache. Not sure if it would catch these issues. It does not seem to have created PRs. You can check with Apache Infra team about enabling snyk for apache projects. I do not think we can do that on the project level (not sure). Christian Am Di., 5. Apr. 2022 um 03:13 Uhr schrieb Bernd Eckenfels < e...@zusammenkunft.net>: > Hello, > > I got a lot of security issues of karaf 4.0.4 (mostly embedded Tomcat) > reported by the Snyk scan service for Aries-rsa dependency > (feature/pom.xml). Snyk claims it is fixed with karaf 4.1.1. I understand > that this minimum version is mostly to be compatible with older karaf > versions api. > > So I Wonder do you have a policy when to bump up those versions, > especially if the existing ones are with known vulnerabilities? It’s not so > much an issue of the delivery, I guess - given that users would have to > pick unsafe old karaf versions and can easily deploy into an up-to-date > container - if I see that correctly? But it does endorse somewhat know-bad > versions. > > I have here in our ‘fork’ the open Snyk reports (not sure if they all > apply to upstream master but they do apply for feature/Pom.xml (karaf > 4.0.4): https://github.com/seeburger-ag/aries-rsa/pulls > > Is it also an option to enable that directly on the asf Repo? > > Gruss > Bernd > -- > http://bernd.eckenfels.net > -- -- Christian Schneider http://www.liquid-reality.de Computer Scientist http://www.adobe.com
