hi, I understand but even try with Dropwizard 2.1.7 or 3.0.0 or 4.0.1, but seem org.eclipse.jetty.toolchain.setuid:jetty-setuid-java:1.0.4 still in the dependency.
I checked https://mvnrepository.com/artifact/io.dropwizard/dropwizard-core/2.1.7 , seem no vulnerabilities from version 2.1.7. But jetty-setuid-java:1.0.4 still there, so I just worry that the vulnerabilities still in dropwizard package. Or I'm wrong? I'm using *grype* to check the vulnerabilities from image, fyi. On Friday, June 30, 2023 at 3:02:53 AM UTC+7 [email protected] wrote: > Hi, > > Not a single one of the listed vulnerabilities is for > org.eclipse.jetty.toolchain.setuid:jetty-setuid-java:1.0.4. They are all > for older versions of Jetty itself for which there are updated versions of > Dropwizard 2.1.x, 3.x, and 4.x. > > If your security scanner is flagging this, you should switch to another > provider for these kind of things. > > Please also note that Dropwizard 2.0.x is EOL since January 31, 2023 and > will not receive any updates anymore. > > Best regards, > Jochen > > Am 29.06.2023 um 18:20 schrieb Minh Giang Tran <[email protected]>: > > Hi, > > We are currently using Dropwizard 2.0.x for our project. During the > process of scanning the Docker image built from our project, we have > discovered several vulnerabilities in the dependencies, including > jetty-setuid-java 1.0.4 (CVE-2017-7658 and CVE-2017-7657). > > Unfortunately, jetty-setuid-java 1.0.4 is the latest version available, > and even the latest version of Dropwizard still relies on it. > > In light of this situation, I would like to inquire about the best course > of action for excluding these vulnerabilities. Please find the details of > the jetty-setuid-java 1.0.4 vulnerability information at the following > link: > > > https://mvnrepository.com/artifact/org.eclipse.jetty.toolchain.setuid/jetty-setuid-java/1.0.4 > > Thank you for your assistance. > > > > > > -- > You received this message because you are subscribed to the Google Groups > "dropwizard-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/dropwizard-user/3cc3ce80-ab95-483d-9c34-22d6bd29791cn%40googlegroups.com > > <https://groups.google.com/d/msgid/dropwizard-user/3cc3ce80-ab95-483d-9c34-22d6bd29791cn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > > -- You received this message because you are subscribed to the Google Groups "dropwizard-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dropwizard-user/a2ae6bdc-dafc-4480-89e4-8a838166d1b8n%40googlegroups.com.
