Version 3.0.0 has contains CVE because of transitive dependency #326
Comments
|
Using Gradle you can exclude the dependency yourself. commons-beanutils already changed to commons-collections 4.4. However, beanutils has no release yet. The beanutils project looks quite dead. |
|
@SoltauFintel , I know I can exclude, but not sure that it is safe to do it (can have some unexpected consequences or exceptions), but will all stuff in library work as expected without it? |
|
I have made a short test. Excluding commons-collections:commons-collections and adding org.apache.commons:commons-collections4:4.4 result in many test case errors. So we have to wait for a beanutils update. |
SoltauFintel
added
wontfix
|
argh ... there's a beanutils2 ... |
SoltauFintel
added
bug
|
It comes to a Happy End. See PR #327 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi
We migrated our project to library version 3.0.0 and it still contains vulnerable transitive dependency commons-collections:commons-collections:3.2.2 (resolved through commons-beanutils:commons-beanutils:1.9.4)
Can you exclude this vulnerable dependency from next minor release?
More details: https://devhub.checkmarx.com/cve-details/Cx78f40514-81ff/
The text was updated successfully, but these errors were encountered: