JavaEcosystemResearch opened a new issue, #218: URL: https://github.com/apache/royale-compiler/issues/218
Hi! We spot a vulnerable dependency in your project, which might threaten your software. And we found that the vulnerable function of this CVE can be easily accessed from your software, there is no constraint along the invocation path to the vulnerable function. + CVE_ID: **CVE-2021-29425** + Vulnerable dependency: **commons-io:commons-io** + Vulnerable function: **getPrefixLength(java.lang.String)** + Invocation path to the vulnerable method: ```java org.apache.royale.compiler.internal.tree.mxml.MXMLNodeBase:resolveSourceAttributePath(org.apache.royale.compiler.internal.tree.mxml.MXMLTreeBuilder,org.apache.royale.compiler.mxml.IMXMLTagAttributeData,org.apache.royale.compiler.internal.tree.mxml.MXMLNodeBase$MXMLNodeInfo) ⬇️ org.apache.commons.io.FilenameUtils:concat(java.lang.String,java.lang.String) ⬇️ org.apache.commons.io.FilenameUtils:getPrefixLength(java.lang.String) ``` Therefore, maybe you need to upgrade this dependency. Hope this can help you! 😄 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
