New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependencies vulnerability due to apache commons text #5387
Comments
Thanks for pointing this out. Those files are indeed in our .jar file, but they don't appear in our dependencies. @smillst will investigate. |
Apaches commons text is a dependency of plume-util:options. Options is a transitive dependency of the Checker Framework via Annotation File Utilities (AFU). I've opened a pull request to force AFU to use |
plume-lib/options was already updated in September. It just isn't on a rapid release cycle. I have now released version 2.0.2. That will avoid the need to hard-code Apache Commons Text 1.10.0. (The hard-coding might bite us at its next release.) |
AFU needs a version of plume-lib/option that builds with Java 8. |
OK, version 1.0.6 is released. |
We are getting vulnerability reported from our dependency check job which points out the known security issue CVE-2022-42889, since commons-text is shaded in the jar file of the checker-framework and we are not able to constraint it with desired version:
checker-3.26.0.jar (shaded: org.apache.commons:commons-text:1.9)
One or more dependencies were identified with known vulnerabilities in app: checker-3.24.0.jar/META-INF/maven/org.apache.commons/commons-text/pom.xml (pkg:maven/org.apache.commons/commons-text@1.9, cpe:2.3:a:apache:commons_text:1.9:*:*:*:*:*:*:*) : CVE-2022-42889
Could you maybe upgrade the commons-text to version 1.10.0 which should fix the security issue:
org.apache.commons:commons-text:1.10.0
Thank you in advance!
The text was updated successfully, but these errors were encountered: