-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency 'org.json' has vulnerabilities #193
Comments
Thanks for reporting this. Will update and test. |
I will take a look at this |
Here you have a link where the issue is examined: stleary/JSON-java#484, the first is not correct 🤷♂️, I'm going to change it. Also indicate that commons-validator depends on commons-collections and in version 1.6 has a minor issue, see: https://issues.apache.org/jira/browse/COLLECTIONS-701 |
sorry :(, closed by mistake 😮💨 |
@jrpedrianes no problem, interested to find out what other projects are using for CVE reporting. Something free would be nice to have so we can react on these issues faster. |
I think that you can use this https://github.com/apps/whitesource-for-github-com for free in github public repositories. But Im not sure, |
Ok yeah let's give that try definitely, thanks. |
enabled for all sdk repos |
weird, whitesource is part of our build now but its not reporting this particular issue |
@jrpedrianes what tool identified this vulnerability? @tsurdilo how can I access vulnerability report for this repo |
@manick02 this was the last scan performed: https://github.com/serverlessworkflow/sdk-java/runs/6085322739 that should be it for this issue i think (would also need to cherry-pick it to 4.0.x branch) |
Signed-off-by: manick02 <[email protected]>
@manick02 I use a tool integrated into my IDE. I use IntelliJ IDEA 2022.1 (Ultimate Edition) which has a panel called "Dependency checker" that alerts me of all these vulnerabilities. For example in your case alerts me two:
|
Seems that my IDE is using Checkmarx under the hood. I don't know if this tool has a free plan, but seems that you can integrate it into Github:
or launch directly from maven: |
Also, Github has a tool named "Dependabot alerts", that scans the project dependencies, but I don't know if transitive ones are detected too. You can enable it in Settings -> Code security and analysis -> Dependabot alerts |
Thanks @jrpedrianes I will check it out, and will try to setup some form of this tool
|
Any news about this? |
@manick02 ^^ |
@tsurdilo fix for json schema vulnerability is already approved by you and its in main branch already |
oops sorry checking |
fixed via manick02@3c6813d |
Signed-off-by: manick02 <[email protected]>
What happened:
Dependency
org.json
is a transitive dependency fromeverit-json-schema
that has vulnerabilities (CVE Name: Cx78f40514-81ff)stleary/JSON-java#484
The
everit-json-schema
maintainer released a new version fixing it: https://github.com/everit-org/json-schema/releasesThe text was updated successfully, but these errors were encountered: