Re: [net] [logging] [math] [codec] Commons-net as dependency in other java projects?

Mon, 12 Dec 2022 22:30:46 -0800 

Hello Aaron,
Are you perhaps encountering https://github.com/jeremylong/DependencyCheck/issues/5132 ? 

This should be fixed in 7.4.1 which was released only a few days ago.

With kind regards,

Jurrie


On 12-12-2022 23:54, Kearns, Aaron (Contractor) wrote:


Hello all,


I am a developer/maintainer of several java projects. Part of this is 
to keep aware of potential vulnerabilities in project imports. I am 
using the OWASP dependency checker plugin with gradle to identify 
potentially vulnerable projects. One project is getting flagged for 
its use of commons-math3 (directly imported by the project), 
commons-codec, and commons-logging (imported by other dependencies), 
which the checker claims have a vulnerability inherited from commons-net.



The problem is that I cannot find a reference to commons-net as a 
dependency anywhere in any of these projects (either the gradle 
dependency list or the project pages themselves), which makes me 
wonder why this error is occurring. I am attempting to fix this issue 
by both excluding commons-net from the dependencies.



I am sending this email in hopes of verifying that this would be a 
useful action. It is possible that the vulnerability checker is 
reporting a false-positive (this is not the first time it has done 
so), in which case I just need to add an exclusion and don’t actually 
have to set any manual exclusions in the imports and don’t need to do 
any gradle manipulations to fix it; if I don’t have to, I’d rather 
not, as it clutters up the dependency list rather significantly.


*Aaron Kearns*

KBR  |  Software Engineer, Government Solutions


Office: +1 505.853.2582  |  Mobile: +1 304.997.0148 
aaron.kea...@kbr.com 
<mailto:aaron.kea...@us.kbr.com>akea...@contractor.usgs.gov 
<mailto:akea...@contractor.usgs.gov>



This email, including any attached files, may contain confidential and 
privileged information for the sole use of the intended recipient.  
Any review, use, distribution, or disclosure by others is strictly 
prohibited.  If you are not the intended recipient (or authorized to 
receive information for the intended recipient), please contact the 
sender by reply e-mail and delete all copies of this message.






















					Reply via email to