Hi Mike,
Thanks for noting this finding with H2. Unfortunately there are a large
number of dependencies with associated vulnerability findings, many of
which are false positives.
The OWASP suppressions configuration includes a note for this specific
vulnerability:
https://github.com/apache/nifi/blob/main/nifi-dependency-check-maven/suppressions.xml#L23
I have considered running the OWASP dependency check as a scheduled job in
GitHub Actions, which would highlight findings, and also indicate
suppressions based on project evaluation. It seems like that could be
useful for these types of scenarios.
Regards,
David Handermann
On Thu, Jun 22, 2023 at 9:09 AM Mike Thomsen wrote:
> A colleague found this "CVE" report for H2. I agree with the H2 devs that
> it's a big joke of a CVE, but it's something we might want to add something
> to the documentation to discuss because it could cause grief for our users.
>
> https://github.com/h2database/h2database/issues/3686
>
