Hi Manuel, Your dependency check is taking a sh*t on you and your valuable time. I would ditch it for something actually working.
For the record, Dropwizard 4.0.7 is not using any of the vulnerable versions of Apache HttpClient. https://github.com/dropwizard/dropwizard/blob/v4.0.7/dropwizard-dependencies/pom.xml#L37-L38 The message mentions "metrics-httpclient5" which is an entirely different thing *and also not vulnerable*. https://github.com/dropwizard/metrics/blob/v4.2.25/metrics-httpclient5/pom.xml#L21 Cheers, Jochen > Am 24.04.2024 um 14:38 schrieb 'Manuel Baden' via dropwizard-dev > <dropwizard-dev@googlegroups.com>: > > Hello there, > > i am using dropwizard (version 4.0.7) and when i run a dependency check it > shows the following (transitive) vulnerability: > > metrics-httpclient5-4.2.25.jar > (pkg:maven/io.dropwizard.metrics/metrics-httpclient5@4.2.25, > cpe:2.3:a:apache:httpclient:4.2.25:*:*:*:*:*:*:*) : CVE-2014-3577, > CVE-2020-13956 > > Is this problem getting fixed? > > Thank you for your help > Manuel -- You received this message because you are subscribed to the Google Groups "dropwizard-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to dropwizard-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dropwizard-dev/546E5471-CB71-4840-9B25-7682F692EEAA%40schalanda.name.