Hans Aikema

Need to see whether all the reported issues are proper, but the noticed difference between the two is completely logical as they indeed have a significantly differing runtime dependency tree

Whether or not the various reported vulnerabilities are applicable to the wrapper part of Gradle remains to be seen, but the packaged gradle-wrapper.jar inside the swagger-codegen is positively a component...

And similar for https://github.com/swagger-api/swagger-codegen/tree/master/modules/swagger-codegen/src/main/resources/swagger-static/assets/js appears to be completely unmaintained parts of the swagger-codegen library

@volkert-fastned This finding comes from OSSIndex. Their API yields the vulnerabilities for a given library, hence there is no range indication. NVD on the other hand reports vulnerabilities and as...

Whether or not it's a false positive in your case depends on whether you explicitly enabled the hostname verification in your codebase (if not it's a true positive - due...

@sjamaan as indicated already in earlier comments: the CVE is about an insecure default in Netty as flagged by OSSIndex (follow the link in earlier comment https://github.com/jeremylong/DependencyCheck/issues/5912#issuecomment-1699387994 to the Netty...

@sjamaan Right... that's because this CVE has now reached a 'published' state with Red Hat's Hot Rod client as the messenger to move it forward to a published state, so...

@opax On a quick read I think that your patch will break in case of an unset JAVACMD env variable the case of https://github.com/mojohaus/appassembler/blob/99cc4e53bacf1256999e50291d16d73c5513587f/appassembler-maven-plugin/src/main/java/org/codehaus/mojo/appassembler/daemon/script/DefaultScriptGenerator.java#L206 As JAVACMD, if unset, is set...

similar to #6672 it is a sublibrary of the keycloak project and therefor linked by us to any vulnerability listed in NVD against the CPE.

A cleaner work-around (or even solution for your use case?) might be to use your own custom report template (a somewhat hidden, but available feature which, since version 7.4.4, PR...