Vulnerabilities in pmd-bin-6.50.0 version #4157
-
We are using 6.50.0 version of pmd-bin , we scanned our files in Veracode . In the report we got there was several vulnerabilities issues in many of the jar versions . version Suggested :- |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
protobuf-java is updated to 3.16.3 for the next version (PMD 6.51.0) -> f9ccab3 For jcommander, there is no version that is still compatible with Java 7 (Note: PMD 6 is still working with Java 7). Hence we didn't update it. The latest version seems to be 1.82 (https://repo1.maven.org/maven2/com/beust/jcommander/) and requires Java 8 (https://github.com/cbeust/jcommander/blob/aa70b568948d310899cda74e235733a8c23136ef/build.gradle.kts#L44). The only vulnerability that I know of for jCommander is cbeust/jcommander#465 or https://security.snyk.io/vuln/SNYK-JAVA-COMBEUST-174815 . It's about the build script of jcommander - but we don't build jCommand from source, we use the already built jar, that is available in maven central. Do you think, it carries an unknown vulnerability in it (it was released on 2015-04-11)? |
Beta Was this translation helpful? Give feedback.
protobuf-java is updated to 3.16.3 for the next version (PMD 6.51.0) -> f9ccab3
For jcommander, there is no version that is still compatible with Java 7 (Note: PMD 6 is still working with Java 7). Hence we didn't update it. The latest version seems to be 1.82 (https://repo1.maven.org/maven2/com/beust/jcommander/) and requires Java 8 (https://github.com/cbeust/jcommander/blob/aa70b568948d310899cda74e235733a8c23136ef/build.gradle.kts#L44).
The only vulnerability that I know of for jCommander is cbeust/jcommander#465 or https://security.snyk.io/vuln/SNYK-JAVA-COMBEUST-174815 . It's about the build script of jcommander - but we don't build jCommand from source, we use the already built jar, t…