[
https://issues.apache.org/jira/browse/TIKA-3925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17631664#comment-17631664
]
Tim Allison commented on TIKA-3925:
-----------------------------------
I'm attaching mvn dependency:tree against 2.6.0, and I don't see what you're
seeing.
If you are using our packages via maven (e.g. you're not just using tika-app or
tika-server), you need to inherit from our parent pom or bom to include our
dependency management section. Our parent pom is not automatically inherited
if you are including our modules as dependencies.
For how to inherit our parent pom, see:
https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17629794#comment-17629794
For how to inherit from our bom see:
https://github.com/apache/tika#maven-dependencies
If I'm misunderstanding something, please let me know.
> Use of vulnerable quartz and c3p0 in tika-parser-scientific-module
> ------------------------------------------------------------------
>
> Key: TIKA-3925
> URL: https://issues.apache.org/jira/browse/TIKA-3925
> Project: Tika
> Issue Type: Bug
> Components: depedency
> Affects Versions: 2.6.0
> Reporter: Vishal Ranjan
> Priority: Critical
> Attachments: dependencies.txt.zip
>
>
> There are followingHigh security vulnerabilities in
> tika-parser-scientific-module:2.6.0:
> quartz:2.2.0 has CVE-2019-13990
> c3p0:0.9.1.1 has CVE-2018-20433
> The suggested resolution is to upgrade these dependencies but
> "tika-parser-scientific-module" latest version 2.6.0 still uses same version.
> Because of this we are unable to do away with these vulnerabilities.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
