Dependencies vulnerability due to apache commons text

[wensiwang7890]

We are getting vulnerability reported from our dependency check job which points out the known security issue CVE-2022-42889, since commons-text is shaded in the jar file of the checker-framework and we are not able to constraint it with desired version:

checker-3.26.0.jar (shaded: org.apache.commons:commons-text:1.9)

One or more dependencies were identified with known vulnerabilities in app: checker-3.24.0.jar/META-INF/maven/org.apache.commons/commons-text/pom.xml (pkg:maven/org.apache.commons/commons-text@1.9, cpe:2.3:a:apache:commons_text:1.9:*:*:*:*:*:*:*) : CVE-2022-42889

Could you maybe upgrade the commons-text to version 1.10.0 which should fix the security issue:

org.apache.commons:commons-text:1.10.0

Thank you in advance!

[mernst]

Thanks for pointing this out. Those files are indeed in our .jar file, but they don't appear in our dependencies. @smillst will investigate.

[smillst]

Apaches commons text is a dependency of plume-util:options. Options is a transitive dependency of the Checker Framework via Annotation File Utilities (AFU). I've opened a pull request to force AFU to use org.apache.commons:commons-text:1.10.0, (https://github.com/typetools/annotation-tools/pulls). I've also opened an issue to updated Options with org.apache.commons:commons-text:1.10.0(plume-lib/options#224)

[mernst]

plume-lib/options was already updated in September. It just isn't on a rapid release cycle. I have now released version 2.0.2. That will avoid the need to hard-code Apache Commons Text 1.10.0. (The hard-coding might bite us at its next release.)

[smillst]

AFU needs a version of plume-lib/option that builds with Java 8.

[mernst]

OK, version 1.0.6 is released.