[
https://issues.apache.org/jira/browse/JCRVLT-674?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Konrad Windszus updated JCRVLT-674:
-----------------------------------
Description:
The following issues are emitted by the {{dependeny-check}} plugin for the Core
Module of FileVault
{code}
One or more dependencies were identified with known vulnerabilities in Apache
Jackrabbit FileVault Core Bundle:
commons-codec-1.10.jar (pkg:maven/commons-codec/commons-codec@1.10,
cpe:2.3:a:apache:commons_net:1.10:*:*:*:*:*:*:*) : CVE-2021-37533
commons-collections-3.2.2.jar
(pkg:maven/commons-collections/commons-collections@3.2.2,
cpe:2.3:a:apache:commons_collections:3.2.2:*:*:*:*:*:*:*,
cpe:2.3:a:apache:commons_net:3.2.2:*:*:*:*:*:*:*) : CVE-2021-37533
h2-2.1.212.jar (pkg:maven/com.h2database/h2@2.1.212,
cpe:2.3:a:h2database:h2:2.1.212:*:*:*:*:*:*:*) : CVE-2022-45868
jackrabbit-jcr-commons-2.20.7.jar
(pkg:maven/org.apache.jackrabbit/jackrabbit-jcr-commons@2.20.7,
cpe:2.3:a:apache:commons_net:2.20.7:*:*:*:*:*:*:*,
cpe:2.3:a:apache:jackrabbit:2.20.7:*:*:*:*:*:*:*) : CVE-2021-37533
jcl-over-slf4j-1.7.36.jar (pkg:maven/org.slf4j/jcl-over-slf4j@1.7.36,
cpe:2.3:a:apache:commons_net:1.7.36:*:*:*:*:*:*:*) : CVE-2021-37533
woodstox-core-6.1.1.jar (pkg:maven/com.fasterxml.woodstox/woodstox-core@6.1.1)
: CVE-2022-40152
{code}
(https://ci-builds.apache.org/blue/organizations/jenkins/Jackrabbit%2Ffilevault/detail/master/195/pipeline/53)
Those issues need to be fixed by either whitelist them (if FileVault isn't
affected by the CVE) or the according dependencies should be updated.
was:
The following issues are emitted by the {{dependeny-check}} plugin
{code}
One or more dependencies were identified with known vulnerabilities in Apache
Jackrabbit FileVault Core Bundle:
commons-codec-1.10.jar (pkg:maven/commons-codec/commons-codec@1.10,
cpe:2.3:a:apache:commons_net:1.10:*:*:*:*:*:*:*) : CVE-2021-37533
commons-collections-3.2.2.jar
(pkg:maven/commons-collections/commons-collections@3.2.2,
cpe:2.3:a:apache:commons_collections:3.2.2:*:*:*:*:*:*:*,
cpe:2.3:a:apache:commons_net:3.2.2:*:*:*:*:*:*:*) : CVE-2021-37533
h2-2.1.212.jar (pkg:maven/com.h2database/h2@2.1.212,
cpe:2.3:a:h2database:h2:2.1.212:*:*:*:*:*:*:*) : CVE-2022-45868
jackrabbit-jcr-commons-2.20.7.jar
(pkg:maven/org.apache.jackrabbit/jackrabbit-jcr-commons@2.20.7,
cpe:2.3:a:apache:commons_net:2.20.7:*:*:*:*:*:*:*,
cpe:2.3:a:apache:jackrabbit:2.20.7:*:*:*:*:*:*:*) : CVE-2021-37533
jcl-over-slf4j-1.7.36.jar (pkg:maven/org.slf4j/jcl-over-slf4j@1.7.36,
cpe:2.3:a:apache:commons_net:1.7.36:*:*:*:*:*:*:*) : CVE-2021-37533
woodstox-core-6.1.1.jar (pkg:maven/com.fasterxml.woodstox/woodstox-core@6.1.1)
: CVE-2022-40152
{code}
(https://ci-builds.apache.org/blue/organizations/jenkins/Jackrabbit%2Ffilevault/detail/master/195/pipeline/53)
Those issues need to be fixed by either whitelist them (if FileVault isn't
affected by the CVE) or the according dependencies should be updated.
> dependency-check issues while building master branch
> ----------------------------------------------------
>
> Key: JCRVLT-674
> URL: https://issues.apache.org/jira/browse/JCRVLT-674
> Project: Jackrabbit FileVault
> Issue Type: Bug
> Reporter: Konrad Windszus
> Assignee: Konrad Windszus
> Priority: Major
>
> The following issues are emitted by the {{dependeny-check}} plugin for the
> Core Module of FileVault
> {code}
> One or more dependencies were identified with known vulnerabilities in Apache
> Jackrabbit FileVault Core Bundle:
> commons-codec-1.10.jar (pkg:maven/commons-codec/commons-codec@1.10,
> cpe:2.3:a:apache:commons_net:1.10:*:*:*:*:*:*:*) : CVE-2021-37533
> commons-collections-3.2.2.jar
> (pkg:maven/commons-collections/commons-collections@3.2.2,
> cpe:2.3:a:apache:commons_collections:3.2.2:*:*:*:*:*:*:*,
> cpe:2.3:a:apache:commons_net:3.2.2:*:*:*:*:*:*:*) : CVE-2021-37533
> h2-2.1.212.jar (pkg:maven/com.h2database/h2@2.1.212,
> cpe:2.3:a:h2database:h2:2.1.212:*:*:*:*:*:*:*) : CVE-2022-45868
> jackrabbit-jcr-commons-2.20.7.jar
> (pkg:maven/org.apache.jackrabbit/jackrabbit-jcr-commons@2.20.7,
> cpe:2.3:a:apache:commons_net:2.20.7:*:*:*:*:*:*:*,
> cpe:2.3:a:apache:jackrabbit:2.20.7:*:*:*:*:*:*:*) : CVE-2021-37533
> jcl-over-slf4j-1.7.36.jar (pkg:maven/org.slf4j/jcl-over-slf4j@1.7.36,
> cpe:2.3:a:apache:commons_net:1.7.36:*:*:*:*:*:*:*) : CVE-2021-37533
> woodstox-core-6.1.1.jar
> (pkg:maven/com.fasterxml.woodstox/woodstox-core@6.1.1) : CVE-2022-40152
> {code}
> (https://ci-builds.apache.org/blue/organizations/jenkins/Jackrabbit%2Ffilevault/detail/master/195/pipeline/53)
> Those issues need to be fixed by either whitelist them (if FileVault isn't
> affected by the CVE) or the according dependencies should be updated.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
