You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi PMD team, We scanned PMD source code with Mend - https://www.mend.io/, it reported 2 critical and 1 high CVEs: Vulnerable Library: scala-library-2.13.3.jar (/pmd-apex/pom.xml) Dependency Hierarchy:
Severity: High CVE Link: Inclusion of Functionality from Untrusted Control Sphere vulnerability found in jcommander before 1.75. jcommander resolving dependencies over HTTP instead of HTTPS.
Fixed Version
1.75
The text was updated successfully, but these errors were encountered:
scala-library was upgraded to 2.13.9 back in #4138 and then to 2.13.12 in #4696
jcommander has not been used in PMD 7, and is no longer shipped transitively either as the designer was updated in #4695
snakeyaml is not shipped with PMD, and is only used during local builds to load and update https://github.com/pmd/pmd/blob/master/docs/_data/sidebars/pmd_sidebar.yml based on existing languages and rulesets. Such usage is completely safe.
Affects PMD Version:
7.0.0-rc3
Description:
Hi PMD team, We scanned PMD source code with Mend - https://www.mend.io/, it reported 2 critical and 1 high CVEs:
Vulnerable Library: scala-library-2.13.3.jar (/pmd-apex/pom.xml)
Dependency Hierarchy:
Severity: Critical
CVE Link: https://www.mend.io/vulnerability-database/CVE-2022-36944
Fixed Version
org.scala-lang:scala-library:2.13.9
Vulnerable Library: snakeyaml-1.33.jar (/pmd-doc/pom.xml)
Dependency Hierarchy:
Severity: Critical
CVE Link: https://www.mend.io/vulnerability-database/CVE-2022-1471
Fixed Version
2.0
Vulnerable Library: jcommander-1.48.jar (/pmd-doc/pom.xml)
Dependency Hierarchy:
Severity: High
CVE Link: Inclusion of Functionality from Untrusted Control Sphere vulnerability found in jcommander before 1.75. jcommander resolving dependencies over HTTP instead of HTTPS.
Fixed Version
1.75
The text was updated successfully, but these errors were encountered: