New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade vulnerable dependencies #1129
Comments
How did you get this output? Also, can you please clear a bit and just add one report per library/jar? Guava for example is listed in every child project. Also, I think some of these don't directly apply to Jooby. Some examples:
|
Hi, I did some analysis with snyk, nexus-iq and blackduck. Next step will be a taint-analysis of the jooby code itself, not only the OWASP A9. For the vulnerabilities themselves: I'm currently looking into every issue closely, figuring out, if we can/must mitigate it. Regarding your traversal, you may be right, I would try to write a test for that, verifying it. Regardless of "test-only" dependencies those should be mitigated, if possible. Even "test-vulnerabilities" can be attacked (in the build pipeline for example). And yes, thanks for the hint, I "uniqued" the list above. |
I will split this into several items, it's more granular for fixing-branches |
We can close this one, right? Already done in separated pulls. |
yes, the rest is handled in separate issues/PRs |
In the current development master, some of the dependencies (direct and transitive) are prone to several (and high) vulnerabilities. Those dependencies have to be replaced (direct) or version pinned (transitive).
The text was updated successfully, but these errors were encountered: