Hans Aikema

@lackovic while it's only a work-around for the root-cause it is a symptom that up-to-now has only been mentioned by people running the OpenJ9 VM... so one way out would...

As said before ``` Caused by: java.lang.NullPointerException at org.h2.mvstore.WriteBuffer.ensureCapacity(WriteBuffer.java:301) ``` https://github.com/h2database/h2database/blob/1ba3590b5d29581a14b018b966e5da0a8ff2994c/h2/src/main/org/h2/mvstore/WriteBuffer.java#L301 Which would mean that `buff` is null, which according to my read of the H2 sources can only happen...

This appears to be a metadata mismatch in OSSIndex, please raise the issue with them as they still flag 18.0.2 as subject to the CVE.

> Hi @aikebah, > > Thanks for your answer. > > OK for the micromanagement strategy but here as far as I understand, it is a **version** misdetection (the product...

As the coordinates used for the library in your dependency are outdated and current bcprov-jdk14 is using proper versions that are in sync with the version as referenced in their...

@trathborne > I was intending to mirror it daily into an NFS volume via https://jeremylong.github.io/DependencyCheck/data/cachenvd.html but then I found that https://github.com/stevespringett/nist-data-mirror/ has been EOL'd because of this move to APIs....

@Hildebrand-Ritense The two tools are separate. so there is no compatibility whatsoever. As Jeremy indicated already in this ticket ODC has the usage of the NIST API in the pipeline...

@TobiX That's a different dataset: the raw list of CVE records. The NIST NVD contains CVE data enriched with more metadata such as the product coordinates of affected software (encoded...

Released, but issue wasn't triggered to be closed by the merge, in 7.3.1/7.3.2

This has been resolved by an update to the upstream vulnerability source