Good day, I trust this my enquiry will find you well.
I am researching an issue raised by sonatype (sonatype-2020-1349). It looks like Gary Gregory's commit of Sep 21, 2020 fixed the issue: https://github.com/apache/commons-dbcp/commit/a4c5af0da1de3a7f50c72fc7edaa1f653ca276dd <https://protect2.fireeye.com/v1/url?k=ea4de5de-b5d6dd37-ea4dcf08-86e0458f6361-dc5811fcd881880c&q=1&e=1dd5d6d0-ae23-4de5-8527-a3ee712dba7b&u=https%3A%2F%2Fgithub.com%2Fapache%2Fcommons-dbcp%2Fcommit%2Fa4c5af0da1de3a7f50c72fc7edaa1f653ca276dd> Yet, Sonatype is still claiming that version 2.8.0 is vulnerable. Indeed, WhiteSource and Snyk.io are also claiming that all versions of the Apache commons dbcp including version 2.8.0 are vulnerable: WhiteSource Upgrade Version No fix version available CVSS v3.1 https://www.whitesourcesoftware.com/vulnerability-database/WS-2020-0287 sonatype-2020-1349 CVSS Vector:CVSS:3.1 The Apache Commons DBCP packages are vulnerable to Insufficiently Protected Credentials. The application is vulnerable by using this componen https://snyk.io/vuln/maven:org.apache.commons%3Acommons-dbcp2 Vulnerability: Information Exposure Vulnerable versions [0,] org.apache.commons:commons-dbcp2 2.8.0 Published 21 Sep, 2020 I would really appreciate your help and insight on this: Was Gary's commit never released? Or could it be that WhiteSource, Sonatype, and Snyk.io are all reporting this incorrectly since Gary's "released" commit already fixed the issue. Thank you in advance for your prompt response. And stay safe as we continue to emerge from the Covid-19 public health concerns. Regards, Adesina -- This message contains proprietary information from Equifax which may be confidential. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail [email protected] <mailto:[email protected]>. Equifax® is a registered trademark of Equifax Inc. All rights reserved.
