[ https://issues.apache.org/jira/browse/AMQ-7103?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16688555#comment-16688555 ]
Albert Baker commented on AMQ-7103: ----------------------------------- will do.... grep the dependency report for CVE | grep Severity:High google CVE-###### AND POC OR proof of concept download it, built it, test it... gimme an hour, and me(anyone) can have a handfull of them. In this day-and-age its pretty silly to require prrof of exploit, when you we can easily update the pom file to a new ver of the .jar and poof, the vulnerability is gone. > Dependency updates flagged by OWASP Dependency Check > ---------------------------------------------------- > > Key: AMQ-7103 > URL: https://issues.apache.org/jira/browse/AMQ-7103 > Project: ActiveMQ > Issue Type: Improvement > Affects Versions: 5.15.7 > Reporter: Christopher L. Shannon > Priority: Major > Fix For: 5.15.9 > > > Original text from Jira issue from [~ABakerIII] - > > Please determine if > # The 458 vulnerabilities are true vulnerabilities or false positives > # Are there newer versions of the vulnerable libraries available > # Will updating the pom to use the new libraries break the build/test or not > # If updates some do break the build/test, please update the code to work. -- This message was sent by Atlassian JIRA (v7.6.3#76005)