[jira] [Comment Edited] (JCRVLT-674) dependency-check issues while building master branch

Fri, 16 Dec 2022 07:48:09 -0800 


    [ 
https://issues.apache.org/jira/browse/JCRVLT-674?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17648705#comment-17648705
 ] 

Konrad Windszus edited comment on JCRVLT-674 at 12/16/22 3:47 PM:
------------------------------------------------------------------

The CVE from h2 is explained in 
https://github.com/h2database/h2database/issues/3686 and there is neither an 
updated version provided nor a fix necessary. IMHO we can just ignore this new 
CVE.


was (Author: kwin):
The issue from h2 is explained in 
https://github.com/h2database/h2database/issues/3686 and there is neither an 
updated version provided nor a fix necessary. IMHO we can just ignore this new 
CVE.

> dependency-check issues while building master branch
> ----------------------------------------------------
>
>                 Key: JCRVLT-674
>                 URL: https://issues.apache.org/jira/browse/JCRVLT-674
>             Project: Jackrabbit FileVault
>          Issue Type: Bug
>            Reporter: Konrad Windszus
>            Assignee: Konrad Windszus
>            Priority: Major
>         Attachments: dependency-check-report.html
>
>
> The following issues are emitted by the {{dependeny-check}} plugin for the 
> Core Module of FileVault
> {code}
> One or more dependencies were identified with known vulnerabilities in Apache 
> Jackrabbit FileVault Core Bundle:
> commons-codec-1.10.jar (pkg:maven/commons-codec/[email protected], 
> cpe:2.3:a:apache:commons_net:1.10:*:*:*:*:*:*:*) : CVE-2021-37533
> commons-collections-3.2.2.jar 
> (pkg:maven/commons-collections/[email protected], 
> cpe:2.3:a:apache:commons_collections:3.2.2:*:*:*:*:*:*:*, 
> cpe:2.3:a:apache:commons_net:3.2.2:*:*:*:*:*:*:*) : CVE-2021-37533
> h2-2.1.212.jar (pkg:maven/com.h2database/[email protected], 
> cpe:2.3:a:h2database:h2:2.1.212:*:*:*:*:*:*:*) : CVE-2022-45868
> jackrabbit-jcr-commons-2.20.7.jar 
> (pkg:maven/org.apache.jackrabbit/[email protected], 
> cpe:2.3:a:apache:commons_net:2.20.7:*:*:*:*:*:*:*, 
> cpe:2.3:a:apache:jackrabbit:2.20.7:*:*:*:*:*:*:*) : CVE-2021-37533
> jcl-over-slf4j-1.7.36.jar (pkg:maven/org.slf4j/[email protected], 
> cpe:2.3:a:apache:commons_net:1.7.36:*:*:*:*:*:*:*) : CVE-2021-37533
> woodstox-core-6.1.1.jar 
> (pkg:maven/com.fasterxml.woodstox/[email protected]) : CVE-2022-40152
> {code}
> (https://ci-builds.apache.org/blue/organizations/jenkins/Jackrabbit%2Ffilevault/detail/master/195/pipeline/53)
> Those issues need to be fixed by either whitelist them (if FileVault isn't 
> affected by the CVE) or the according dependencies should be updated.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to