New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check if we can get rid of some components with vulnerabilities #92

Open

dhuebner opened this issue Feb 29, 2024 · 0 comments

Contributor

dhuebner commented Feb 29, 2024

When releasing to maven central a security report is created. I will post a report link here, but I do not know how long it will remain available.

https://sbom.sonatype.com/report/T1-118f0f57da8c6b3097cc-7c5cd3c324b3e8-1709210263-9c8c29739af94ba6940236bcf4b9429f

Here are the top two candidates, both transitive (probably Xtext):
pkg:maven/log4j/log4j@1.2.17
- [CVE-2019-17571] CWE-502: Deserialization of Untrusted Data
- [CVE-2022-23305] CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- [CVE-2022-23302] CWE-502: Deserialization of Untrusted Data
- [CVE-2022-23307] CWE-502: Deserialization of Untrusted Data
- [CVE-2021-4104] CWE-502: Deserialization of Untrusted Data
- [CVE-2023-26464] CWE-502: Deserialization of Untrusted Data

pkg:maven/com.google.guava/guava@31.0.1-jre
- [CVE-2023-2976] CWE-552: Files or Directories Accessible to External Parties
- [CVE-2020-8908] CWE-379: Creation of Temporary File in Directory with Incorrect Permissions

The text was updated successfully, but these errors were encountered:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment