[
https://issues.apache.org/jira/browse/NIFI-8901?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Stieglitz resolved NIFI-8901.
------------------------------------
Resolution: Abandoned
Current version of NIFI 2.8 uses later changes of most of the dependencies and
does not use hibernate-validator at all. Furthermore, no other changes are
being made to 1.x.
> Update maven dependencies that have CVEs
> ----------------------------------------
>
> Key: NIFI-8901
> URL: https://issues.apache.org/jira/browse/NIFI-8901
> Project: Apache NiFi
> Issue Type: Improvement
> Components: NiFi Registry
> Reporter: Alex Herman
> Assignee: Nathan Gough
> Priority: Major
>
> Running an AppScan vulnerability analysis on the 0.5.0 tag of NiFi Registry
> found the following issues with dependencies:
> * jackson-databind-2.9.9.1.jar - CVE-2019-16335, CVE-2019-14379,
> CVE-2019-16942, CVE-2019-17267, CVE-2019-16943, CVE-2019-17531,
> CVE-2019-14540, CVE-2019-14439
> * h2-1.4.197.jar - CVE-2018-10054, CVE-2018-14335
> * httpclient-4.5.2.jar (transitive dependency of org.eclipse.jgit) -
> https://github.com/apache/httpcomponents-client/commit/0554271750599756d4946c0d7ba43d04b1a7b220
> * hibernate-validator-6.0.17.Final.jar (transitive dependency of spring) -
> CVE-2019-10219
> * jackson-databind-2.9.8.jar (transitive dependency of aws-java-sdk-version)
> - CVE-2019-17267, CVE-2019-16943, CVE-2019-16942, CVE-2019-16335,
> CVE-2019-14540, CVE-2019-17531, CVE-2019-14379, CVE-2019-12814,
> CVE-2019-12086, CVE-2019-12384, CVE-2019-14439
> * netty-codec-http2-4.1.33.Final.jar (transitive dependency of
> aws-java-sdk-version) - CVE-2019-9518
> I'm not sure what the process is for addressing things like this, but I can
> put together a pull request, if that would be helpful.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
