[ https://issues.apache.org/jira/browse/CAMEL-20049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17786712#comment-17786712 ]
Andrea Cosentino edited comment on CAMEL-20049 at 11/16/23 11:24 AM: --------------------------------------------------------------------- It is used only as test dependency. You're not really exposed to anything, also we are not spinning up an ActiveMQ server. You need to have an ActiveMQ server running for exploiting this CVE: https://github.com/oscerd/nice-cve-poc/tree/main/CVE-2023-46604 and we are not doing it. I understand your point and I understand you're giving trust to Snyk, but it is a test dependency and I think you can manage to make the Snyk static analyzer to ignore test dependencies. This reports needs to be analyzed with a grain of salt sometimes. was (Author: ancosen): It is used only as test dependencies. You're not really exposed to anything, also we are not spinning up an ActiveMQ server. You need to have an ActiveMQ server running for exploiting this CVE: https://github.com/oscerd/nice-cve-poc/tree/main/CVE-2023-46604 and we are not doing it. I understand your point and I understand you're giving trust to Snyk, but it is a test dependency and I think you can manage to make the Snyk static analyzer to ignore test dependencies. This reports needs to be analyzed with a grain of salt sometimes. > camel-activemq - Upgrade to latest releases > ------------------------------------------- > > Key: CAMEL-20049 > URL: https://issues.apache.org/jira/browse/CAMEL-20049 > Project: Camel > Issue Type: Dependency upgrade > Components: camel-activemq > Reporter: Claus Ibsen > Assignee: Claus Ibsen > Priority: Major > Fix For: 3.14.10, 3.20.9, 3.21.3, 3.22.0, 4.0.3, 4.2.0 > > Attachments: screenshot-1.png > > > There are new releases of ActiveMQ and Artemis. > Though we only use this for testing but we need to be using latest releases. -- This message was sent by Atlassian Jira (v8.20.10#820010)