Dear GitHub user, I am contacting you to inform you that, as a result of a study that SAP Security Research conducted on the top 100 most popular Java projects in GitHub, my colleagues and I found that the latest release of one of your projects includes at least one dependency affected by a known vulnerability (CVE).
I warmly invite you to reply to this email to get the details about our findings (identical copies of this message are being sent to all the owners/main contributors of the affected projects, so we cannot include more details here). We would be happy to provide all the information at our disposal as well as hear your opinion on how the general problem of vulnerable dependencies could be addressed by the open-source community, by commercial vendors, and by the research community. Our findings are described at an aggregated level in a paper that we submitted for publications in the proceedings of a scientific conference; I am attaching the abstract of our paper. While we do not list the projects that we analyzed, it would be possible for anyone to reproduce our search on GitHub and guess the list of projects we studied. Technically, what we found is already visible to anybody who cares to do what we did, that is to construct the full dependency tree for your project and check one by one your dependencies against the NVD. Would you please note that, while we cannot say for sure if your project is actually exploitable because of its vulnerable dependency(-es), we strongly advice that you look into the issue and check if an upgrade to a more recent, non-vulnerable version is feasible. I look forward to hearing from you, Antonino Sabetta, Ph.D. Senior Researcher SAP Security Research SAP Labs France 805, av. Maurice Donat 06254 Mougins CEDEX - FRANCE [email protected]<mailto:[email protected]> +33 4 9228 6284 -- You received this message because you are subscribed to the Google Groups "Netty discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/netty/247e53c493744731946d0d52fca3323d%40sap.com. For more options, visit https://groups.google.com/d/optout.
abstract.pdf
Description: abstract.pdf
