On Thu, Nov 13, 2025 at 3:48 PM Elliotte Rusty Harold <[email protected]> wrote:
> The nagging of rather dumb static analyzers is not a security issue. > If the static analyzer reports things that aren't issues, turn it off. > The problem with that is who is authorized to "turn it off." And in a lot of cases with deep nesting it really is not practical to analyze in detail whether a vuln is actually a risk, *and to ensure it does not become one.* For that reason, a lot of our users don't have the choice to ignore these things. Phil > > On Thu, Nov 13, 2025 at 11:14 AM Vladimir Sitnikov > <[email protected]> wrote: > > > > >That would probably be a waste of time since neither json-lib 2.3 nor > > >ezmorph 1.0.6 use the ClassUtils class affected by the CVE: > > > > See, GitHub nags me about "your dependencies have CVE". > > I am sure I am not the only one who still has commons-lang via transitive > > dependency. > > > > I am sure the actual ClassUtil usage is minimal, however, I do not want > to > > have vulnerable > > classes on the classpath. > > > > Frankly, the policy of "not providing a fix for CVE" does not sound right > > to me. > > > > I've prepared a fix: > > > https://github.com/apache/commons-lang/compare/LANG_2_6...vlsi:commons-lang:lang-2.6-CVE-2025-48924?expand=1 > > > > >How about using the > > >current io.codearte.gradle.nexus:gradle-nexus-staging-plugin 0.30.0 > > > > It might work, however having a clear way to avoid CVE would help > consumers > > while they remove -lang:2 from their code. > > > > Vladimir > > > > -- > Elliotte Rusty Harold > [email protected] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
