You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I expect all versions of the dependencies to be the same across libraries, and they should not reference libraries with known CVE's, for example CVE-2020-5421 which is in any release older than:
You are using a mix of dependency versions across libraries that don't agree (for example, com.typesafe.play:play-streams_2.13:2.8.2 is using com.typesafe.akka:akka-stream_2.13:2.6.5, but com.typesafe.play:play-ws-standalone_2.13:2.1.2 is using com.typesafe.akka:akka-stream_2.13:2.6.1).
The transitive dependencies should be consistent across libraries.
The real issue here is the version of springframework being brought in here by some of the transitive dependencies
contains a security vulnerability that results in the build failing due to owasp-dependency-check failing on the CVE mentioned above.
Would it be possible to update all the transitive dependencies to springframework to version 5.2.9.RELEASE or above, and hopefully having them all agree?
You are using a mix of dependency versions across libraries that don't agree (for example, com.typesafe.play:play-streams_2.13:2.8.2 is using com.typesafe.akka:akka-stream_2.13:2.6.5, but com.typesafe.play:play-ws-standalone_2.13:2.1.2 is using com.typesafe.akka:akka-stream_2.13:2.6.1).
Who is 'you' here? I looks like this is a comment directed at your project, not at playframework.
The real issue here is the version of springframework being brought in here by some of the transitive dependencies contains a security vulnerability that results in the build failing due to owasp-dependency-check failing on the CVE mentioned above
master has already been updated to 5.2.9.RELEASE in 92a442e, so Play 2.9.0 will have this change. I agree it would probably be good to backport this change to the 2.8.x tree.
Play Version
2.8.2
API
Java
Operating System
Linux centos7 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
JDK
openjdk version "11.0.8" 2020-07-14
OpenJDK Runtime Environment 18.9 (build 11.0.8+10)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.8+10, mixed mode, sharing)
Library Dependencies
Expected Behavior
I expect all versions of the dependencies to be the same across libraries, and they should not reference libraries with known CVE's, for example CVE-2020-5421 which is in any release older than:
Actual Behavior
You are using a mix of dependency versions across libraries that don't agree (for example, com.typesafe.play:play-streams_2.13:2.8.2 is using com.typesafe.akka:akka-stream_2.13:2.6.5, but com.typesafe.play:play-ws-standalone_2.13:2.1.2 is using com.typesafe.akka:akka-stream_2.13:2.6.1).
The transitive dependencies should be consistent across libraries.
The real issue here is the version of springframework being brought in here by some of the transitive dependencies
contains a security vulnerability that results in the build failing due to owasp-dependency-check failing on the CVE mentioned above.
Would it be possible to update all the transitive dependencies to springframework to version 5.2.9.RELEASE or above, and hopefully having them all agree?
Reproducible Test Case
Adding the following code:
Will allow the build to complete and pass the owasp-dependency-check.
The text was updated successfully, but these errors were encountered: