Hello,

I just released a minor updated to the jmx_exporter (
https://github.com/prometheus/jmx_exporter/releases/tag/parent-0.16.1).

It fixes a false positive CVE warning. The Java 7+ binary of the previous 
release contains metadata pointing to the snakeyaml library version 1.23. 
This causes the Trivy security scanner 
<https://github.com/aquasecurity/trivy> to wrongly report CVE-2017-18640 
<https://nvd.nist.gov/vuln/detail/CVE-2017-18640>, even though that 
snakeyaml version is not included in the binary.

Update 0.16.1 removes the misleading metadata.

Fabian

-- 
You received this message because you are subscribed to the Google Groups 
"prometheus-announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to prometheus-announce+unsubscr...@googlegroups.com.
To view this discussion on the web, visit 
https://groups.google.com/d/msgid/prometheus-announce/6d562edd-b07d-471e-a227-d323c80cc556n%40googlegroups.com.

Reply via email to