Azure Security reports CVE-2018-1000011

[omni-htg]

Hello AI agent team!
Very recently we enabled Microsoft Defender for Cloud, which reported that the java container we set up with the AI agent has a High vulnerability CVE-2018-1000011 coming from org.jvnet.hudson.plugins.findbugs:library:1.31.0.0.

Could you please confirm how to move forward with this?
We are not very familiar with Java, so maybe we are mistaken and it actually comes from our own codebase.

Thank you for your time.

[trask]

hi @omni-htg! Application Insights Java doesn't have any dependencies on Hudson, so I suspect it is coming from somewhere else.

[omni-htg]

Apologies, we could not find the aforementioned either in IntelliJ IDEA's Dependency Analyzer nor after running gradle dependencies -- and so I suspected the agent when I saw a dependency on com.google.code.findbugs and some imports of edu.umd.cs.findbugs.

We build the output on a YAML pipeline using the gradle docker image -- yet, again, since we are not familiar enough with Java/Kotlin we might be missing something.

We would appreciate any further support with this, but feel free to close this thread if it does not apply to Application Insights Java 👍
Once again, thank you so much for your time.

[trask]

hi @omni-htg, org.jvnet.hudson.plugins.findbugs (Jenkins FindBugs plugin which is what the CVE is for) is different from FindBugs annotations

[omni-htg]

Thank you for your time @trask .
We will try to find out on our side, and come back with a new issue if it comes back to the Java agent.