Vulnerability issues with dependencies in dropwizard-core 1.3.27 #4773
Replies: 1 comment
-
@simonwatsonkainos Thanks for reporting this! We've been using the OWASP Dependency Checker before but disabled it because it produced a lot of false positives.
The CVE refers to Apache Log4j 2.x but this dependency (
We're already overriding the version in You can either import |
Beta Was this translation helpful? Give feedback.
-
After running the OWASP Dependency checker against the dropwizard-core dependency, two vulnerabilities are raised against dependencies which are brought in:
[ERROR] One or more dependencies were identified with vulnerabilities:
[ERROR]
[ERROR] log4j-over-slf4j-1.7.30.jar: CVE-2020-9488
[ERROR] snakeyaml-1.14.jar: CVE-2017-18640
log4j-over-slf4j-1.7.30.jar is included as a dependency of dropwizard-logging:
[INFO] | +- io.dropwizard:dropwizard-logging:jar:1.3.27:compile
[INFO] | | +- (io.dropwizard:dropwizard-jackson:jar:1.3.27:compile - omitted for duplicate)
[INFO] | | +- (io.dropwizard:dropwizard-validation:jar:1.3.27:compile - omitted for duplicate)
[INFO] | | +- io.dropwizard.metrics:metrics-logback:jar:4.1.14:compile
[INFO] | | | - (io.dropwizard.metrics:metrics-core:jar:4.1.14:compile - omitted for duplicate)
[INFO] | | +- (org.slf4j:slf4j-api:jar:1.7.30:compile - omitted for duplicate)
[INFO] | | +- org.slf4j:jul-to-slf4j:jar:1.7.30:compile
[INFO] | | | - (org.slf4j:slf4j-api:jar:1.7.30:compile - omitted for duplicate)
[INFO] | | +- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] | | +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] | | | - (ch.qos.logback:logback-core:jar:1.2.3:compile - omitted for duplicate)
[INFO] | | +- org.slf4j:log4j-over-slf4j:jar:1.7.30:compile
[INFO] | | | - (org.slf4j:slf4j-api:jar:1.7.30:compile - omitted for duplicate)
[INFO] | | +- org.slf4j:jcl-over-slf4j:jar:1.7.30:compile
[INFO] | | | - (org.slf4j:slf4j-api:jar:1.7.30:compile - omitted for duplicate)
[INFO] | | - org.eclipse.jetty:jetty-util:jar:9.4.33.v20201020:compile
https://nvd.nist.gov/vuln/detail/CVE-2020-9488
snakeyaml-1.14.jar is included as a dependency of dropwizard-configuration:
[INFO] | +- io.dropwizard:dropwizard-configuration:jar:1.3.27:compile
[INFO] | | +- (io.dropwizard:dropwizard-jackson:jar:1.3.27:compile - omitted for duplicate)
[INFO] | | +- (io.dropwizard:dropwizard-validation:jar:1.3.27:compile - omitted for duplicate)
[INFO] | | +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.9.10:compile
[INFO] | | | +- (org.yaml:snakeyaml:jar:1.23:compile - omitted for conflict with 1.14)
[INFO] | | | - (com.fasterxml.jackson.core:jackson-core:jar:2.9.10:compile - omitted for duplicate)
[INFO] | | +- (org.apache.commons:commons-lang3:jar:3.11:compile - omitted for conflict with 3.5)
[INFO] | | - org.apache.commons:commons-text:jar:1.9:compile
[INFO] | | - (org.apache.commons:commons-lang3:jar:3.11:compile - omitted for duplicate)
https://nvd.nist.gov/vuln/detail/CVE-2017-18640
Beta Was this translation helpful? Give feedback.
All reactions