Several vulnerabilities in the shared library which data-migration depends on. Could you help upgrade to patch versions?

[HelenParr]

Hi, @melowe , @namtruong , I'd like to report a vulnerability issue in com.jpmorgan.quorum:data-migration:0.11.

Issue Description

com.jpmorgan.quorum:data-migration:0.11 directly or transitively depends on 30 C libraries (.so) cross many platforms(such as x86-64, x86, arm64, armhf). However, I noticed that one C library is vulnerable, containing the following CVEs:

libsqlitejdbc.so from C project sqlite(version:3.23.1) exposed 3 vulnerabilities: CVE-2019-19646, CVE-2019-19645, CVE-2019-8457

Suggested Vulnerability Patch Versions

sqlite has fixed the vulnerabilities in versions >=3.37.0

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Helen Parr

[macfarla]

Hi @HelenParr - in maven central I can't see that version of sqlite - latest is 3.36.0.3 https://mvnrepository.com/artifact/org.xerial/sqlite-jdbc/3.36.0.3

https://mvnrepository.com/artifact/org.xerial/sqlite-jdbc

Can you share where you got the info about 3.37.0 version? Thanks!