Konrad Windszus created JCRVLT-674:
--------------------------------------
Summary: dependency-check issues while building master branch
Key: JCRVLT-674
URL: https://issues.apache.org/jira/browse/JCRVLT-674
Project: Jackrabbit FileVault
Issue Type: Bug
Reporter: Konrad Windszus
Assignee: Konrad Windszus
The following issues are emitted by the {{dependeny-check}} plugin
{code}
One or more dependencies were identified with known vulnerabilities in Apache
Jackrabbit FileVault Core Bundle:
commons-codec-1.10.jar (pkg:maven/commons-codec/commons-codec@1.10,
cpe:2.3:a:apache:commons_net:1.10:*:*:*:*:*:*:*) : CVE-2021-37533
commons-collections-3.2.2.jar
(pkg:maven/commons-collections/commons-collections@3.2.2,
cpe:2.3:a:apache:commons_collections:3.2.2:*:*:*:*:*:*:*,
cpe:2.3:a:apache:commons_net:3.2.2:*:*:*:*:*:*:*) : CVE-2021-37533
h2-2.1.212.jar (pkg:maven/com.h2database/h2@2.1.212,
cpe:2.3:a:h2database:h2:2.1.212:*:*:*:*:*:*:*) : CVE-2022-45868
jackrabbit-jcr-commons-2.20.7.jar
(pkg:maven/org.apache.jackrabbit/jackrabbit-jcr-commons@2.20.7,
cpe:2.3:a:apache:commons_net:2.20.7:*:*:*:*:*:*:*,
cpe:2.3:a:apache:jackrabbit:2.20.7:*:*:*:*:*:*:*) : CVE-2021-37533
jcl-over-slf4j-1.7.36.jar (pkg:maven/org.slf4j/jcl-over-slf4j@1.7.36,
cpe:2.3:a:apache:commons_net:1.7.36:*:*:*:*:*:*:*) : CVE-2021-37533
woodstox-core-6.1.1.jar (pkg:maven/com.fasterxml.woodstox/woodstox-core@6.1.1)
: CVE-2022-40152
{code}
(https://ci-builds.apache.org/blue/organizations/jenkins/Jackrabbit%2Ffilevault/detail/master/195/pipeline/53)
Those issues need to be fixed by either whitelist them (if FileVault isn't
affected by the CVE) or the according dependencies should be updated.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
