[
https://issues.apache.org/jira/browse/SLING-10284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17317832#comment-17317832
]
Konrad Windszus edited comment on SLING-10284 at 4/9/21, 9:49 AM:
------------------------------------------------------------------
In general we depend on the lowest version supported. Whether that is defined
by the parent pom or locally does not really matter here. Please bring d-c-m to
ignore that dependency. I don't think we should do anything in Sling.
In general all dependencies with scope "provided" are not included in the
bundle but referenced at run time. Usually using "compile" scope for classes
you want to embed works fine and only those should be checked with tools like
d-c-m.
was (Author: kwin):
In general we depend on the lowest version supported. Whether that is defined
by the parent pom or locally does not really matter here. Please bring d-c-m to
ignore that dependency. I don't think we should do anything in Sling.
> Dependency check fails on CVE-2015-2944 for Sling Resource Merger 1.4.0
> -----------------------------------------------------------------------
>
> Key: SLING-10284
> URL: https://issues.apache.org/jira/browse/SLING-10284
> Project: Sling
> Issue Type: Bug
> Components: ResourceResolver
> Affects Versions: Resource Merger 1.4.0
> Reporter: Henry Kuijpers
> Priority: Major
>
> Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check
> (check-dependencies-for-vulnerabilities) on project dependencies:
> One or more dependencies were identified with vulnerabilities:
> org.apache.sling.resourcemerger-1.4.0.jar: CVE-2015-2944
> See the dependency-check report for more details.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
