Hi. Le mar. 13 déc. 2022 à 00:40, Kearns, Aaron (Contractor) <akea...@contractor.usgs.gov> a écrit : > > Hello all, > > > > I am a developer/maintainer of several java projects. Part of this is to keep > aware of potential vulnerabilities in project imports. I am using the OWASP > dependency checker plugin with gradle to identify potentially vulnerable > projects. One project is getting flagged for its use of commons-math3 > (directly imported by the project), commons-codec, and commons-logging > (imported by other dependencies), which the checker claims have a > vulnerability inherited from commons-net. > > > > The problem is that I cannot find a reference to commons-net as a dependency > anywhere in any of these projects (either the gradle dependency list or the > project pages themselves), which makes me wonder why this error is occurring. > I am attempting to fix this issue by both excluding commons-net from the > dependencies. > > > > I am sending this email in hopes of verifying that this would be a useful > action. It is possible that the vulnerability checker is reporting a > false-positive (this is not the first time it has done so), in which case I > just need to add an exclusion and don’t actually have to set any manual > exclusions in the imports and don’t need to do any gradle manipulations to > fix it; if I don’t have to, I’d rather not, as it clutters up the dependency > list rather significantly. > >
Commons Math v3.6.1 (and earlier) has no dependencies, except for running the test suite. The upcoming release (v4.0-beta1) will depend on other Commons components ("Numbers", "Geometry", "RNG" and "Statistics"). Regards, Gilles --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org