Hello, I just released a minor updated to the jmx_exporter ( https://github.com/prometheus/jmx_exporter/releases/tag/parent-0.16.1).
It fixes a false positive CVE warning. The Java 7+ binary of the previous release contains metadata pointing to the snakeyaml library version 1.23. This causes the Trivy security scanner <https://github.com/aquasecurity/trivy> to wrongly report CVE-2017-18640 <https://nvd.nist.gov/vuln/detail/CVE-2017-18640>, even though that snakeyaml version is not included in the binary. Update 0.16.1 removes the misleading metadata. Fabian -- You received this message because you are subscribed to the Google Groups "prometheus-announce" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-announce+unsubscr...@googlegroups.com. To view this discussion on the web, visit https://groups.google.com/d/msgid/prometheus-announce/6d562edd-b07d-471e-a227-d323c80cc556n%40googlegroups.com.