Hello all, I am a developer/maintainer of several java projects. Part of this is to keep aware of potential vulnerabilities in project imports. I am using the OWASP dependency checker plugin with gradle to identify potentially vulnerable projects. One project is getting flagged for its use of commons-math3 (directly imported by the project), commons-codec, and commons-logging (imported by other dependencies), which the checker claims have a vulnerability inherited from commons-net.
The problem is that I cannot find a reference to commons-net as a dependency anywhere in any of these projects (either the gradle dependency list or the project pages themselves), which makes me wonder why this error is occurring. I am attempting to fix this issue by both excluding commons-net from the dependencies. I am sending this email in hopes of verifying that this would be a useful action. It is possible that the vulnerability checker is reporting a false-positive (this is not the first time it has done so), in which case I just need to add an exclusion and don’t actually have to set any manual exclusions in the imports and don’t need to do any gradle manipulations to fix it; if I don’t have to, I’d rather not, as it clutters up the dependency list rather significantly. Aaron Kearns KBR | Software Engineer, Government Solutions Office: +1 505.853.2582 | Mobile: +1 304.997.0148 aaron.kea...@kbr.com<mailto:aaron.kea...@us.kbr.com> akea...@contractor.usgs.gov<mailto:akea...@contractor.usgs.gov> This email, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message.