review dependencies #276

bigerl · 2024-09-16T11:45:39Z

We should look for replacements for the following libraries:

com.googlecode.json-simple:
- not updated since 2012, see https://mvnrepository.com/artifact/com.googlecode.json-simple/json-simple
- CVE-2020-15250 5.5 Transitive Incorrect Permission Assignment for Critical Resource vulnerability with Medium severity found

Upgrade the following:

org.codehaus.mojo:exec-maven-plugin 1.6.0
- not updated since 2017, migrate to recent 3.4.1
jena 4.2 -> 5.1
com.fasterxml.jackson.* 2.12.5 -> 2.17.2

update as soon as patches are available:

org.apache.hbase 2.6.0
- CVE-2023-2976 7.1 Transitive Files or Directories Accessible to External Parties vulnerability with High severity found
- CVE-2018-10237 5.9 Transitive Allocation of Resources Without Limits or Throttling vulnerability with Medium severity found
- CVE-2020-8908 3.3 Transitive Incorrect Permission Assignment for Critical Resource vulnerability with Low severity found
com.opencsv 5.9
- Cx78f40514-81ff 7.5 Transitive Uncontrolled Recursion vulnerability with High severity found
org.apache.jena:jena-core (through transitive dependencies)
- CVE-2024-26308 7.5 Transitive Allocation of Resources Without Limits or Throttling vulnerability with High severity found
- CVE-2024-25710 5.5 Transitive Loop with Unreachable Exit Condition ("Infinite Loop") vulnerability with Medium severity found

bigerl · 2024-09-16T11:54:53Z

nck-mlcnv · 2024-09-18T12:02:40Z

We're not using apache hbase I think, we're only using their implementation of the ByteArrayInputStream

nck-mlcnv · 2024-09-23T10:22:57Z

The transitive vulnerability of opencsv isn't relevant either: https://sourceforge.net/p/opencsv/patches/65/

bigerl added the security issue! label Sep 16, 2024

nck-mlcnv linked a pull request Sep 18, 2024 that will close this issue

Update dependencies #280

Merged

nck-mlcnv closed this as completed Oct 1, 2024

Provide feedback