Hi Mark, I'm just repeating the response I just sent to another user on this email list - just in case you missed that thread.
These CVEs are not POI issues. We will release POI 5.1.0 when it is ready which should be soon. But the real fix on your side is to upgrade the Batik, commons-compress and other dependencies that you have in your build. You don't need to rely on POI changing its transitive dependencies. We expect POI 5.0.0 to work with latest Batik and commons-compress releases (as we had no issues upgrading the 5.1.0 build). You can also exclude Batik explicitly in your build if you don't need SVG rendering support. On Thursday 23 September 2021, 11:45:29 IST, Marc Caparros <marc.capar...@ceitasl.com> wrote: Hi, I am using your library org.apache.poi with name: 'poi-ooxml' and version: '5.0.0' for my project and after creating my jars, I have gone to pass a vulnerability scan with the trivy command. The scan has given me HIGH vulnerabilities in two dependencies of the library. org.apache.xmlgraphics:batik-svgbrowser | CVE-2020-11987 | HIGH | 1.13 | 1.14 | batik: SSRF due to improper input | | | | | | | validation by the NodePickerPanel | | | | | | | -->avd.aquasec.com/nvd/cve-2020-11987 The first one on the library org.apache.xmlgraphics » batik-all that it's included on your dependencies. org.apache.commons:commons-compress | CVE-2021-35515 | HIGH | 1.20 | 1.21 | apache-commons-compress: | And the second one on the library org.apache.commons » commons-compress that also it's included on your dependencies. I am writing to ask you if it would be possible to update the versions of these two libraries (Batik need the 1.14 and commons-compress need the 1.21) and post a patch of version 5.0.0 of the 'poi-ooxml'. In closing, I inform you that I am using the mavenrepository to include the library in my project (https://mvnrepository.com/artifact/org.apache.poi/poi-ooxml) let me know if I can find a version of the poi with the vulnerabilities fixed elsewhere. Thank you so much! Marc. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
