Hi.
Le mar. 13 déc. 2022 à 00:40, Kearns, Aaron (Contractor)
<akea...@contractor.usgs.gov> a écrit :
>
> Hello all,
>
>
>
> I am a developer/maintainer of several java projects. Part of this is to keep
> aware of potential vulnerabilities in project imports. I am using the OWASP
> dependency checker plugin with gradle to identify potentially vulnerable
> projects. One project is getting flagged for its use of commons-math3
> (directly imported by the project), commons-codec, and commons-logging
> (imported by other dependencies), which the checker claims have a
> vulnerability inherited from commons-net.
>
>
>
> The problem is that I cannot find a reference to commons-net as a dependency
> anywhere in any of these projects (either the gradle dependency list or the
> project pages themselves), which makes me wonder why this error is occurring.
> I am attempting to fix this issue by both excluding commons-net from the
> dependencies.
>
>
>
> I am sending this email in hopes of verifying that this would be a useful
> action. It is possible that the vulnerability checker is reporting a
> false-positive (this is not the first time it has done so), in which case I
> just need to add an exclusion and don’t actually have to set any manual
> exclusions in the imports and don’t need to do any gradle manipulations to
> fix it; if I don’t have to, I’d rather not, as it clutters up the dependency
> list rather significantly.
>
>
Commons Math v3.6.1 (and earlier) has no dependencies, except for
running the test suite.
The upcoming release (v4.0-beta1) will depend on other Commons
components ("Numbers", "Geometry", "RNG" and "Statistics").
Regards,
Gilles
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org
