On 10/07/2021 00:04, Matt Sicker wrote:
Snyk looks like they have something like that in early access. I’ve seen a
similar feature before in Whitesource, though it was fairly clunky. Then
there’s the CodeQL queries on GitHub/LGTM which can find effective usage
fairly well.
It was bugging me I c
Sorry, I hadn’t seen this response. Best practice is to include every
dependency
your application uses directly or transitively in the project’s parent pom.xml.
That
way you control the version of everything and aren’t dependent on other
people’s
stuff being upgraded.
Ralph
> On Jul 9, 2021
FWIW, Libraries generally are compatible with newer versions for their
dependencies, so long
as the major version number doesn’t change. So you can mitigate this yourself
by updating
your application to use Commons IO 2.7 or later.
Ralph
> On Jul 9, 2021, at 4:11 AM, Daniel Wille wrote:
>
Snyk looks like they have something like that in early access. I’ve seen a
similar feature before in Whitesource, though it was fairly clunky. Then
there’s the CodeQL queries on GitHub/LGTM which can find effective usage
fairly well.
On Fri, Jul 9, 2021 at 11:54 Mark Thomas wrote:
> On 09/07/202
On 09/07/2021 15:49, Daniel Wille wrote:
That is good to know, and I appreciate that info.
I know that making updates to libraries for reasons like this is
frowned upon by developers whose time is better spent fixing actual
problems. It does mean however that many users will be in a situation
wh
That is good to know, and I appreciate that info.
I know that making updates to libraries for reasons like this is
frowned upon by developers whose time is better spent fixing actual
problems. It does mean however that many users will be in a situation
where a corporate tool will detect the CVE, r
On 09/07/2021 15:11, Daniel Wille wrote:
Hi all,
I recently noted that commons-fileupload:commons-fileupload:1.4 has a
dependency on commons-io:commons-io:2.2, which has a CVE (CVE-2021-29425).
This could be mitigated by simply updating the dependency version to 2.7 or
later. Would it be possibl
Hi all,
I recently noted that commons-fileupload:commons-fileupload:1.4 has a
dependency on commons-io:commons-io:2.2, which has a CVE (CVE-2021-29425).
This could be mitigated by simply updating the dependency version to 2.7 or
later. Would it be possible to publish a newer version of
commons-fil
