Yes, this would appear to be the issue in question. Thanks for confirming as FP.
Aaron Kearns KBR | Software Engineer, Government Solutions Office: +1 505.853.2582 | Mobile: +1 304.997.0148 [email protected]<mailto:[email protected]> [email protected]<mailto:[email protected]> This email, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message. From: Jurrie Overgoor <[email protected]> Date: Monday, December 12, 2022 at 11:31 PM To: [email protected] <[email protected]> Subject: [EXTERNAL] Re: [net] [logging] [math] [codec] Commons-net as dependency in other java projects? This email has been received from outside of DOI - Use caution before clicking on links, opening attachments, or responding. Hello Aaron, Are you perhaps encountering https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fjeremylong%2FDependencyCheck%2Fissues%2F5132&data=05%7C01%7Cakearns%40contractor.usgs.gov%7C4a58b2863e254987a6f008dadcd3a8ae%7C0693b5ba4b184d7b9341f32f400a5494%7C0%7C0%7C638065098895443475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=D0wKU6%2F8XZHLVsg7dm0U88zrkycS5iHrnlhz%2BBM7T0g%3D&reserved=0 ? This should be fixed in 7.4.1 which was released only a few days ago. With kind regards, Jurrie On 12-12-2022 23:54, Kearns, Aaron (Contractor) wrote: > > Hello all, > > I am a developer/maintainer of several java projects. Part of this is > to keep aware of potential vulnerabilities in project imports. I am > using the OWASP dependency checker plugin with gradle to identify > potentially vulnerable projects. One project is getting flagged for > its use of commons-math3 (directly imported by the project), > commons-codec, and commons-logging (imported by other dependencies), > which the checker claims have a vulnerability inherited from commons-net. > > The problem is that I cannot find a reference to commons-net as a > dependency anywhere in any of these projects (either the gradle > dependency list or the project pages themselves), which makes me > wonder why this error is occurring. I am attempting to fix this issue > by both excluding commons-net from the dependencies. > > I am sending this email in hopes of verifying that this would be a > useful action. It is possible that the vulnerability checker is > reporting a false-positive (this is not the first time it has done > so), in which case I just need to add an exclusion and don’t actually > have to set any manual exclusions in the imports and don’t need to do > any gradle manipulations to fix it; if I don’t have to, I’d rather > not, as it clutters up the dependency list rather significantly. > > *Aaron Kearns* > > KBR | Software Engineer, Government Solutions > > Office: +1 505.853.2582 | Mobile: +1 304.997.0148 > [email protected] > <mailto:[email protected]>[email protected] > <mailto:[email protected]> > > This email, including any attached files, may contain confidential and > privileged information for the sole use of the intended recipient. > Any review, use, distribution, or disclosure by others is strictly > prohibited. If you are not the intended recipient (or authorized to > receive information for the intended recipient), please contact the > sender by reply e-mail and delete all copies of this message. >
