Mate Szalay-Beko created ZOOKEEPER-4644:
-------------------------------------------
Summary: Update 3rd party library versions on branch-3.6
Key: ZOOKEEPER-4644
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4644
Project: ZooKeeper
Issue Type: Task
Affects Versions: 3.6.3
Reporter: Mate Szalay-Beko
Assignee: Mate Szalay-Beko
The last 3.6 release happened long time ago and before releasing 3.6.4, we need
to make sure that no 3rd party libraries has any CVE issues. I run CVE checks
and compared the 3pp library versions between the active branches and plan to
update some libraries.
{code:java}
mvn clean package -DskipTests dependency-check:check
(...)
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check
(default-cli) on project zookeeper:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have
a CVSS score greater than or equal to '0.0':
[ERROR]
[ERROR] commons-cli-1.2.jar: CVE-2021-37533(6.5)
[ERROR] jackson-databind-2.13.2.1.jar: CVE-2022-42003(7.5), CVE-2022-42004(7.5)
[ERROR] jetty-io-9.4.43.v20210629.jar: CVE-2022-2047(2.7), CVE-2022-2048(7.5)
[ERROR] jetty-server-9.4.43.v20210629.jar: CVE-2022-2047(2.7),
CVE-2022-2048(7.5)
[ERROR] netty-transport-4.1.76.Final.jar: CVE-2022-24823(5.5)
{code}
beside these we might need to update some maven plugins.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
