[jira] [Resolved] (JCRVLT-674) dependency-check issues while building master branch

Sun, 18 Dec 2022 09:59:04 -0800 


     [ 
https://issues.apache.org/jira/browse/JCRVLT-674?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Konrad Windszus resolved JCRVLT-674.
------------------------------------
    Resolution: Fixed

Fixed in 
https://github.com/apache/jackrabbit-filevault/commit/1b5bc54881b0971bf39f6ce1d6b13070b4c6204d.

Could no longer reproduce the other reported issues with the newer 
dependency-check plugin version 7.4.1.

> dependency-check issues while building master branch
> ----------------------------------------------------
>
>                 Key: JCRVLT-674
>                 URL: https://issues.apache.org/jira/browse/JCRVLT-674
>             Project: Jackrabbit FileVault
>          Issue Type: Bug
>            Reporter: Konrad Windszus
>            Assignee: Konrad Windszus
>            Priority: Major
>         Attachments: dependency-check-report.html
>
>
> The following issues are emitted by the {{dependeny-check}} plugin for the 
> Core Module of FileVault
> {code}
> One or more dependencies were identified with known vulnerabilities in Apache 
> Jackrabbit FileVault Core Bundle:
> commons-codec-1.10.jar (pkg:maven/commons-codec/[email protected], 
> cpe:2.3:a:apache:commons_net:1.10:*:*:*:*:*:*:*) : CVE-2021-37533
> commons-collections-3.2.2.jar 
> (pkg:maven/commons-collections/[email protected], 
> cpe:2.3:a:apache:commons_collections:3.2.2:*:*:*:*:*:*:*, 
> cpe:2.3:a:apache:commons_net:3.2.2:*:*:*:*:*:*:*) : CVE-2021-37533
> h2-2.1.212.jar (pkg:maven/com.h2database/[email protected], 
> cpe:2.3:a:h2database:h2:2.1.212:*:*:*:*:*:*:*) : CVE-2022-45868
> jackrabbit-jcr-commons-2.20.7.jar 
> (pkg:maven/org.apache.jackrabbit/[email protected], 
> cpe:2.3:a:apache:commons_net:2.20.7:*:*:*:*:*:*:*, 
> cpe:2.3:a:apache:jackrabbit:2.20.7:*:*:*:*:*:*:*) : CVE-2021-37533
> jcl-over-slf4j-1.7.36.jar (pkg:maven/org.slf4j/[email protected], 
> cpe:2.3:a:apache:commons_net:1.7.36:*:*:*:*:*:*:*) : CVE-2021-37533
> woodstox-core-6.1.1.jar 
> (pkg:maven/com.fasterxml.woodstox/[email protected]) : CVE-2022-40152
> {code}
> (https://ci-builds.apache.org/blue/organizations/jenkins/Jackrabbit%2Ffilevault/detail/master/195/pipeline/53)
> Those issues need to be fixed by either whitelist them (if FileVault isn't 
> affected by the CVE) or the according dependencies should be updated.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to