ken-duck

OSS Index is now filtering "sonatype-id" vulnerability notifications for anonymous users. This may only be a partial workaround, as the "sonatype-id" vulnerability details will be visible for authenticating users.

@uwesinha I made a small project with your packages, but was not able to reproduce the exception. I wonder if the data in the dependency-check cache is corrupted. I would...

@uwesinha Another edge case has been resolved which may also have been the cause for your NPE.

@aikebah It is definitely my understanding that the comment you linked means that the issue has been resolved by internal fixes. The fundamental problem was that the "reference" was not...

@AntonOellerer : Correct, spring-security-crypto 5.7.1 is in fact vulnerable in the opinion of the Sonatype security researchers. The Sonatype security research team discovered that this issue is not yet fixed...

@aikebah Thanks for the information, that's great to hear. I will forward this thread to our security researchers, who I am sure will be quite eager to hear.

Ohhhhhh. I see. That certainly explains most of it for me. I am still mildly confused about the two overlapping patched_versions: > patched_versions: > - "~> 4.1.14, >= 4.1.14.2"

Thanks for the heads up. I will look into improving the error messaging, but I wonder if it would just be better to run by default in non-interactive mode. It...

Sorry for the delay, and thanks for the help! We have been dealing with a bit of a backlog, and will try to resolve this issue shortly. Thanks for helping...

Thanks for this. I have finally managed to get back into working the project. I will figure out where this newer version resides and get it patched and merged in....