[ https://issues.apache.org/jira/browse/CONNECTORS-1715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17552149#comment-17552149 ]
Karl Wright edited comment on CONNECTORS-1715 at 6/9/22 11:50 AM: ------------------------------------------------------------------ [~pj.fanning], this is a blanket scan identifying jars with known CVEs. There has been no analysis done whatsoever about whether the specific CVE attack is even a possibility in the ManifoldCF environment. That's a lot of work but I will wager after all of that the major problem is that the tool doesn't understand the actual usage of ManifoldCF and is thus incapable of giving good advice. Another thing to note is that most of ManifoldCF's dependencies come from Tika. We just upgraded a month ago to the latest Tika 1.x version, which required massive dependency updates precisely to address CVEs that had been noted. This took me almost three weeks because many of the underlying contracts in the jars also had to be updated. That's a lot of work if a vulnerability cannot in fact be exploited at all, just to make a dumb tool happy. I think it's fine if a careful analysis is done and an ACTUAL vulnerability is detected, but we want to not be stupid about this. Can't afford it. was (Author: kwri...@metacarta.com): [~pj.fanning], this is a blanket scan identifying jars with known CVEs. There has been no analysis done whatsoever about whether the specific CVE attack is even a possibility in the ManifoldCF environment. That's a lot of work but I will wager after all of that the major problem is that the tool doesn't understand the actual usage of ManifoldCF and is thus incapable of giving good advice. > Vulnerabilities in 45 jars in Apache Manifold CF 2.22.1 version > --------------------------------------------------------------- > > Key: CONNECTORS-1715 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1715 > Project: ManifoldCF > Issue Type: Bug > Affects Versions: ManifoldCF 2.22 > Reporter: Himanshu > Assignee: Karl Wright > Priority: Major > Fix For: ManifoldCF 2.23 > > Attachments: dependency-check-report-Apache Manifold.html > > > 45 vulnerable jars are present in apache-manifoldcf version 2.22.1 -- This message was sent by Atlassian Jira (v8.20.7#820007)