thanks I'll pull latest appreciate your help. On Mon, Apr 22, 2024 at 9:30 AM Tilman Hausherr <thaush...@t-online.de> wrote:
> Hi, > > We look what the CVE is about. Some CVEs are irrelevant (see recent rant > from Tim) and we can add an exclusion in the OSS section. Sometimes all > what is needed is to update a dependency or add it in the management > section or exclude it (in the assumptions that the tests cover everything). > > About this case: it has been updated in the repository to exclude two > threeten versions from OSS. > > Tilman > > On 22.04.2024 16:16, Nicholas DiPiazza wrote: > > When getting these sorts of errors: > > > > [ERROR] Failed to execute goal > > org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit > > (audit-dependencies) on project tika-dl: Detected 1 vulnerable > components: > > [ERROR] org.threeten:threetenbp:jar:1.3.3:provided; > > > https://ossindex.sonatype.org/component/pkg:maven/org.threeten/threetenbp@1.3.3?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 > > [ERROR] * [CVE-2024-23081] CWE-476: NULL Pointer Dereference (3.7); > > > https://ossindex.sonatype.org/vulnerability/CVE-2024-23081?component-type=maven&component-name=org.threeten%2Fthreetenbp&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 > > [ERROR] * [CVE-2024-23082] CWE-190: Integer Overflow or Wraparound > > (5.3); > > > https://ossindex.sonatype.org/vulnerability/CVE-2024-23082?component-type=maven&component-name=org.threeten%2Fthreetenbp&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 > > [ERROR] > > > > How do you all typically proceed? Do I patch the issue and move on > somehow? > > How do i get my builds to work now that this error has happened? > > > > -Nicholas > > > >
