[jira] [Commented] (ZOOKEEPER-4510) dependency-check:check failing - reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17531892#comment-17531892 ] Mohammad Arshad commented on ZOOKEEPER-4510: dependency-check-maven upgrade to latest release 7.1.0 solves this false positive CVE issue. I will raise PR. > dependency-check:check failing - reload4j-1.2.19.jar: CVE-2020-9493, > CVE-2022-23307 > --- > > Key: ZOOKEEPER-4510 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4510 > Project: ZooKeeper > Issue Type: Bug >Reporter: Mohammad Arshad >Assignee: Mohammad Arshad >Priority: Blocker > Labels: pull-request-available > Fix For: 3.6.4, 3.7. > > Time Spent: 0.5h > Remaining Estimate: 0h > > On branch-3.7 "mvn clean package -DskipTests dependency-check:check" is > failing with following errors. > {code:java} > [ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.5.3:check > (default-cli) on project zookeeper-assembly: > [ERROR] > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307 > {code} -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (ZOOKEEPER-4510) dependency-check:check failing - reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17520474#comment-17520474 ] Mohammad Arshad commented on ZOOKEEPER-4510: As CVE false positive issue resolution is taking time. Lets suppress those CVEs and move on. I raised PR. > dependency-check:check failing - reload4j-1.2.19.jar: CVE-2020-9493, > CVE-2022-23307 > --- > > Key: ZOOKEEPER-4510 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4510 > Project: ZooKeeper > Issue Type: Bug >Reporter: Mohammad Arshad >Assignee: Mohammad Arshad >Priority: Blocker > Labels: pull-request-available > Fix For: 3.7.1, 3.6.4 > > Time Spent: 10m > Remaining Estimate: 0h > > On branch-3.7 "mvn clean package -DskipTests dependency-check:check" is > failing with following errors. > {code:java} > [ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.5.3:check > (default-cli) on project zookeeper-assembly: > [ERROR] > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307 > {code} -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (ZOOKEEPER-4510) dependency-check:check failing - reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17517849#comment-17517849 ] Mohammad Arshad commented on ZOOKEEPER-4510: Thanks [~c...@qos.ch] for the good suggestion. I reported false positive issue. https://github.com/jeremylong/DependencyCheck/issues/4316 > dependency-check:check failing - reload4j-1.2.19.jar: CVE-2020-9493, > CVE-2022-23307 > --- > > Key: ZOOKEEPER-4510 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4510 > Project: ZooKeeper > Issue Type: Bug >Reporter: Mohammad Arshad >Priority: Critical > Fix For: 3.7.1, 3.6.4 > > > On branch-3.7 "mvn clean package -DskipTests dependency-check:check" is > failing with following errors. > {code:java} > [ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.5.3:check > (default-cli) on project zookeeper-assembly: > [ERROR] > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307 > {code} -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (ZOOKEEPER-4510) dependency-check:check failing - reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17517718#comment-17517718 ] Ceki Gülcü commented on ZOOKEEPER-4510: --- I suggest that this false positive be reported at https://github.com/jeremylong/DependencyCheck > dependency-check:check failing - reload4j-1.2.19.jar: CVE-2020-9493, > CVE-2022-23307 > --- > > Key: ZOOKEEPER-4510 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4510 > Project: ZooKeeper > Issue Type: Bug >Reporter: Mohammad Arshad >Priority: Critical > Fix For: 3.7.1, 3.6.4 > > > On branch-3.7 "mvn clean package -DskipTests dependency-check:check" is > failing with following errors. > {code:java} > [ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.5.3:check > (default-cli) on project zookeeper-assembly: > [ERROR] > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307 > {code} -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (ZOOKEEPER-4510) dependency-check:check failing - reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17517660#comment-17517660 ] Mohammad Arshad commented on ZOOKEEPER-4510: you are right, I can see both the CVEs are marked as fixed https://github.com/qos-ch/reload4j/issues/21 https://github.com/qos-ch/reload4j/commit/64902fe18ce5a5dd40487051a2f6231d9fbbe9b0 But don't know why these CVEs are reported in dependency check. I think we have to exclude these CVs to pass the dependency check. > dependency-check:check failing - reload4j-1.2.19.jar: CVE-2020-9493, > CVE-2022-23307 > --- > > Key: ZOOKEEPER-4510 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4510 > Project: ZooKeeper > Issue Type: Bug >Reporter: Mohammad Arshad >Priority: Critical > Fix For: 3.7.1, 3.6.4 > > > On branch-3.7 "mvn clean package -DskipTests dependency-check:check" is > failing with following errors. > {code:java} > [ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.5.3:check > (default-cli) on project zookeeper-assembly: > [ERROR] > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307 > {code} -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (ZOOKEEPER-4510) dependency-check:check failing - reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17517491#comment-17517491 ] Christopher Tubbs commented on ZOOKEEPER-4510: -- 1.2.19 is the latest version right now and includes changes to address these. > dependency-check:check failing - reload4j-1.2.19.jar: CVE-2020-9493, > CVE-2022-23307 > --- > > Key: ZOOKEEPER-4510 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4510 > Project: ZooKeeper > Issue Type: Bug >Reporter: Mohammad Arshad >Priority: Critical > Fix For: 3.7.1, 3.6.4 > > > On branch-3.7 "mvn clean package -DskipTests dependency-check:check" is > failing with following errors. > {code:java} > [ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.5.3:check > (default-cli) on project zookeeper-assembly: > [ERROR] > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] reload4j-1.2.19.jar: CVE-2020-9493, CVE-2022-23307 > {code} -- This message was sent by Atlassian Jira (v8.20.1#820001)