Dependency vulnerability due to apache bcel #5399
Comments
|
Thanks for getting in touch. |
|
It looks like only AFU uses org.apache.bcel:bcel and it doesn't actually need it. So I've opened a pull request to remove it. |
|
Thank you for your quick response. Is it possible for you to do a new release, including the removal of this dependency, soon or when do you plan to do the next release? |
|
We make a release on the first business day of each month, so the next release is planned for Thursday, December 1, 2022. Is that OK for you, or is a blocking problem? |
|
To be honest I would have it solved rather sooner than later, but it is not blocking us at the moment. Considering that you are not using this dependency anyway, it's fine for us waiting for the next regular release. |
|
OK, thanks for confirming. And thanks for helping us discover the unused dependency. |
Hello, our dependency check job reported this vulnerability CVE-2022-42920. It is recommended to update the version of org.apache.bcel:bcel to 6.6.0.
bcel is shaded in the jar file of the checker-framework, which means we cannot constraint it.
checker-3.27.0.jar (shaded: org.apache.bcel:bcel:6.5.0)This issue is similar to the issue #5387 where the security issue was solved with the latest release (3.27.0)
Can you upgrade apache.bcel to 6.6.0 in your project, which will solve our security issue?
Thank you in advance.
The text was updated successfully, but these errors were encountered: