embedded-consul icon indicating copy to clipboard operation
embedded-consul copied to clipboard
verified publisher icon pszymczyk

Dependencies that cause vulnerability alerts in scanners

Open msymons opened this issue 6 years ago • 1 comments

The use of embedded-consul 2.0.0 causes third-party threat analyzers (such as dependency-track) to generate threat alerts due to CVE threats in dependencies and transitive dependencies. slf4j-api and groovy-all should be trivial to update.

Note that one or more of the identified might not actually be relevent to embedded-consul.... but they still give rise to alerts!

slf4j-api

Update to 1.7.26 to resolve critical threat CVE-2018-8088 CVSS 3.0 score = 9.8

groovy-all

Update to a version after 2.4.7 (the version currently used) to resolve CVE-2016-6814 CVSS 3.0 score = 9.8

http-builder

The version used (0.7.1) introduces threats transitively: commons-collections 3.2.1 CVE-2017-15708 xercesimpl 2.9.1 CVE-2013-4002

It looks like http-builder is no longer maintained. I am not a developer, but would HttpBuilder-NG be a suitable alternative?

msymons avatar Mar 13 '19 00:03 msymons

Hi @msymons

Many thanks for clear pointing what we can improve, I will check coming days, is it easy to bump libs and replace http-builder with suggested replacement.

pszymczyk avatar Mar 14 '19 06:03 pszymczyk