We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The following vulnerabilities are being produced when running dependency check:
batik-all-1.13.jar (pkg:maven/org.apache.xmlgraphics/batik-all@1.13, cpe:2.3:a:apache:batik:1.13:*:*:*:*:*:*:*) : CVE-2020-11987 batik-rasterizer-ext-1.13.jar (pkg:maven/org.apache.xmlgraphics/batik-rasterizer-ext@1.13, cpe:2.3:a:apache:batik:1.13:*:*:*:*:*:*:*) : CVE-2020-11987 batik-rasterizer-1.13.jar (pkg:maven/org.apache.xmlgraphics/batik-rasterizer@1.13, cpe:2.3:a:apache:batik:1.13:*:*:*:*:*:*:*) : CVE-2020-11987 batik-svgrasterizer-1.13.jar (pkg:maven/org.apache.xmlgraphics/batik-svgrasterizer@1.13, cpe:2.3:a:apache:batik:1.13:*:*:*:*:*:*:*) : CVE-2020-11987 batik-codec-1.13.jar (pkg:maven/org.apache.xmlgraphics/batik-codec@1.13, cpe:2.3:a:apache:batik:1.13:*:*:*:*:*:*:*) : CVE-2020-11987 batik-squiggle-ext-1.13.jar (pkg:maven/org.apache.xmlgraphics/batik-squiggle-ext@1.13, cpe:2.3:a:apache:batik:1.13:*:*:*:*:*:*:*) : CVE-2020-11987 batik-squiggle-1.13.jar (pkg:maven/org.apache.xmlgraphics/batik-squiggle@1.13, cpe:2.3:a:apache:batik:1.13:*:*:*:*:*:*:*) : CVE-2020-11987 batik-svgbrowser-1.13.jar (pkg:maven/org.apache.xmlgraphics/batik-svgbrowser@1.13, cpe:2.3:a:apache:batik:1.13:*:*:*:*:*:*:*) : CVE-2020-11987 batik-svgpp-1.13.jar (pkg:maven/org.apache.xmlgraphics/batik-svgpp@1.13, cpe:2.3:a:apache:batik:1.13:*:*:*:*:*:*:*, cpe:2.3:a:svgpp:svgpp:1.13:*:*:*:*:*:*:*) : CVE-2020-11987 batik-extension-1.13.jar (pkg:maven/org.apache.xmlgraphics/batik-extension@1.13, cpe:2.3:a:apache:batik:1.13:*:*:*:*:*:*:*) : CVE-2020-11987 batik-slideshow-1.13.jar (pkg:maven/org.apache.xmlgraphics/batik-slideshow@1.13, cpe:2.3:a:apache:batik:1.13:*:*:*:*:*:*:*) : CVE-2020-11987 batik-swing-1.13.jar (pkg:maven/org.apache.xmlgraphics/batik-swing@1.13, cpe:2.3:a:apache:batik:1.13:*:*:*:*:*:*:*) : CVE-2020-11987 batik-ttf2svg-1.13.jar (pkg:maven/org.apache.xmlgraphics/batik-ttf2svg@1.13, cpe:2.3:a:apache:batik:1.13:*:*:*:*:*:*:*) : CVE-2020-11987 batik-gui-util-1.13.jar (pkg:maven/org.apache.xmlgraphics/batik-gui-util@1.13, cpe:2.3:a:apache:batik:1.13:*:*:*:*:*:*:*) : CVE-2020-11987
All of the above batik v1.13 dependencies are transitively fetched via the org:apache:poi:5.0.0.
batik v1.13
org:apache:poi:5.0.0
Going forward here are a few ways to resolve the issue:
owasp-suppression.xml
<suppress> <notes><![CDATA[ file name: batik-*.jar ]]></notes> <packageUrl regex="true">^pkg:maven/org\.apache\.xmlgraphics/batik.*@.*$</packageUrl> <cpe>cpe:/a:apache:batik</cpe> <cve>CVE-2020-11987</cve> </suppress>
poi & batik
batik v1.14
The text was updated successfully, but these errors were encountered:
No branches or pull requests
The following vulnerabilities are being produced when running dependency check:
All of the above
batik v1.13dependencies are transitively fetched via theorg:apache:poi:5.0.0.Going forward here are a few ways to resolve the issue:
owasp-suppression.xmlfile and in particular by including:poi & batikdependencies are indeed needed and if not remove altogetherbatik v1.13dependencies and upgrade tobatik v1.14, which will eliminate the vulnerabilities.The text was updated successfully, but these errors were encountered: