Hi, > But jetty-setuid-java:1.0.4 still there, so I just worry that the > vulnerabilities still in dropwizard package. Or I'm wrong?
That’s correct, the dependency on jetty-setuid-java 1.0.4 is still there but this was never an issue to begin with. You should consider that https://mvnrepository.com/artifact/org.eclipse.jetty.toolchain.setuid/jetty-setuid-java/1.0.4 is showing incorrect data. ;-) Cheers, Jochen > Am 30.06.2023 um 04:45 schrieb Minh Giang Tran <[email protected]>: > > hi, > > I understand but even try with Dropwizard 2.1.7 or 3.0.0 or 4.0.1, but seem > org.eclipse.jetty.toolchain.setuid:jetty-setuid-java:1.0.4 still in the > dependency. > > I checked > https://mvnrepository.com/artifact/io.dropwizard/dropwizard-core/2.1.7 , seem > no vulnerabilities from version 2.1.7. > > But jetty-setuid-java:1.0.4 still there, so I just worry that the > vulnerabilities still in dropwizard package. Or I'm wrong? > > I'm using grype to check the vulnerabilities from image, fyi. > On Friday, June 30, 2023 at 3:02:53 AM UTC+7 [email protected] wrote: >> Hi, >> >> Not a single one of the listed vulnerabilities is for >> org.eclipse.jetty.toolchain.setuid:jetty-setuid-java:1.0.4. They are all for >> older versions of Jetty itself for which there are updated versions of >> Dropwizard 2.1.x, 3.x, and 4.x. >> >> If your security scanner is flagging this, you should switch to another >> provider for these kind of things. >> >> Please also note that Dropwizard 2.0.x is EOL since January 31, 2023 and >> will not receive any updates anymore. >> >> Best regards, >> Jochen >> >> >>> Am 29.06.2023 um 18:20 schrieb Minh Giang Tran <[email protected] <>>: >>> >> >>> Hi, >>> >>> We are currently using Dropwizard 2.0.x for our project. During the process >>> of scanning the Docker image built from our project, we have discovered >>> several vulnerabilities in the dependencies, including jetty-setuid-java >>> 1.0.4 (CVE-2017-7658 and CVE-2017-7657). >>> >>> Unfortunately, jetty-setuid-java 1.0.4 is the latest version available, and >>> even the latest version of Dropwizard still relies on it. >>> >>> In light of this situation, I would like to inquire about the best course >>> of action for excluding these vulnerabilities. Please find the details of >>> the jetty-setuid-java 1.0.4 vulnerability information at the following link: >>> >>> https://mvnrepository.com/artifact/org.eclipse.jetty.toolchain.setuid/jetty-setuid-java/1.0.4 >>> >>> Thank you for your assistance. >>> >>> >>> >>> >>> >>> >> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "dropwizard-user" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected] <>. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/dropwizard-user/3cc3ce80-ab95-483d-9c34-22d6bd29791cn%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/dropwizard-user/3cc3ce80-ab95-483d-9c34-22d6bd29791cn%40googlegroups.com?utm_medium=email&utm_source=footer>. >> > > > -- > You received this message because you are subscribed to the Google Groups > "dropwizard-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/dropwizard-user/a2ae6bdc-dafc-4480-89e4-8a838166d1b8n%40googlegroups.com > > <https://groups.google.com/d/msgid/dropwizard-user/a2ae6bdc-dafc-4480-89e4-8a838166d1b8n%40googlegroups.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "dropwizard-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dropwizard-user/25FE5EC5-6C6A-4B25-9F19-0836702B00AF%40schalanda.name.
