Ah right, I missed that, thanks very much for your in-depth analysis. On Wednesday, 20 July 2022 at 15:53:24 UTC+1 Evgeny Mandrikov wrote:
> On Wednesday, July 20, 2022 at 4:08:22 PM UTC+2 [email protected] wrote: > >> Hi, >> he's referring to >> https://mvnrepository.com/artifact/org.jacoco/org.jacoco.ant/0.8.8. >> > > In this case please carefully study this report and CVEs mentioned in it - > these vulnerabilities are not in JaCoCo, but in Ant > > [image: Screenshot 2022-07-20 at 16.09.12.png] > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36374 > and > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36373 > state > Apache Ant prior to 1.9.16 and 1.10.11 were affected. > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11979 > states > As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions > of temporary files > > org.jacoco.ant has a dependency on Ant with scope "provided" because > org.jacoco.ant is to be used from/with Ant, > and org.jacoco.ant is compatible with different Ant versions, including > vulnerable Ant versions. > > In other words you can be affected by these vulnerabilities only if you > use vulnerable Ant versions, i.e. prior to 1.10.11 > and can not be affected if you use Ant versions that have fixes for them - > e.g. latest as of today Ant 1.10.12 > > >> On Wed, Jul 20, 2022 at 4:03 PM Evgeny Mandrikov <[email protected]> >> wrote: >> >>> On Wednesday, July 20, 2022 at 1:29:26 PM UTC+2 [email protected] >>> wrote: >>> >>>> Hi, please could you advise on the vulnerability report by maven >>>> central for the dependency `org.jacoco:org.jacoco.ant:0.8.8` and whether >>>> or >>>> not the jar is safe to use? >>>> >>> >>> Hi, >>> >>> It is not clear to which report you're referring - for example page >>> >>> https://ossindex.sonatype.org/component/pkg:maven/org.jacoco/[email protected] >>> >>> <https://ossindex.sonatype.org/component/pkg:maven/org.jacoco/[email protected]> >>> states that >>> This version of org.jacoco.ant has no known vulnerabilities! 🎉 >>> >>> So could you please give us exact link to this report? >>> >>> >>>> I did try searching the forum, FAQ's etc for an answer. These CVE's >>>> have been present in all releases so I guess the team have evaluated them >>>> and concluded that they don't actually affect the usage of the dependency? >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "JaCoCo and EclEmma Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jacoco/6c7e1601-6081-4c2d-a2df-63bba787d43en%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/jacoco/6c7e1601-6081-4c2d-a2df-63bba787d43en%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "JaCoCo and EclEmma Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jacoco/096cee31-daaa-4fc4-93cc-a5e6614fc35an%40googlegroups.com.
