Hi,
We look what the CVE is about. Some CVEs are irrelevant (see recent rant
from Tim) and we can add an exclusion in the OSS section. Sometimes all
what is needed is to update a dependency or add it in the management
section or exclude it (in the assumptions that the tests cover everything).
About this case: it has been updated in the repository to exclude two
threeten versions from OSS.
Tilman
On 22.04.2024 16:16, Nicholas DiPiazza wrote:
When getting these sorts of errors:
[ERROR] Failed to execute goal
org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit
(audit-dependencies) on project tika-dl: Detected 1 vulnerable components:
[ERROR] org.threeten:threetenbp:jar:1.3.3:provided;
https://ossindex.sonatype.org/component/pkg:maven/org.threeten/threetenbp@1.3.3?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] * [CVE-2024-23081] CWE-476: NULL Pointer Dereference (3.7);
https://ossindex.sonatype.org/vulnerability/CVE-2024-23081?component-type=maven&component-name=org.threeten%2Fthreetenbp&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] * [CVE-2024-23082] CWE-190: Integer Overflow or Wraparound
(5.3);
https://ossindex.sonatype.org/vulnerability/CVE-2024-23082?component-type=maven&component-name=org.threeten%2Fthreetenbp&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR]
How do you all typically proceed? Do I patch the issue and move on somehow?
How do i get my builds to work now that this error has happened?
-Nicholas
