[
https://issues.apache.org/jira/browse/TIKA-2801?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16733230#comment-16733230
]
Hudson commented on TIKA-2801:
------------------------------
SUCCESS: Integrated in Jenkins build Tika-trunk #1612 (See
[https://builds.apache.org/job/Tika-trunk/1612/])
TIKA-2801 -- add ossindex-maven-plugin and upgrade vulnerable (tallison:
[https://github.com/apache/tika/commit/0b286d3efcfd1aa50f0d7fed50b5f39a6a09cf38])
* (edit) tika-dl/pom.xml
* (edit) tika-example/pom.xml
* (edit) tika-nlp/pom.xml
* (edit) tika-parent/pom.xml
* (edit) tika-parsers/pom.xml
* (edit) tika-eval/pom.xml
> Tika includes 2 vulnerable components
> -------------------------------------
>
> Key: TIKA-2801
> URL: https://issues.apache.org/jira/browse/TIKA-2801
> Project: Tika
> Issue Type: Task
> Components: parser
> Affects Versions: 1.20
> Reporter: Maxim Solodovnik
> Priority: Critical
>
> Maven audit plugin reports 2 vulnerable components:
> com.google.guava:guava:jar:17.0:compile
> * [CVE-2018-10237] Deserialization of Untrusted Data (5.9);
> https://ossindex.sonatype.org/vuln/24585a7f-eb6b-4d8d-a2a9-a6f16cc7c1d0
> com.google.protobuf:protobuf-java:jar:2.5.0:compile
> * [CVE-2015-5237] Improper Restriction of Operations within the Bounds of a
> Memory Buffer (8.8);
> https://ossindex.sonatype.org/vuln/d47d20ab-eb2a-4cfd-8064-bbf6283649cb
> Maybe it worth to add {{audit}} plugin to the build/release?
> {{mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml}}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
