-
Task
-
Resolution: Done
-
Neutral
-
None
-
None
-
None
-
-
Empty show more show less
-
Empty show more show less
-
Yes
One or more dependencies were identified with known vulnerabilities in Magnolia DX Core webapp: btf-1.3.jar (cpe:2.3:a:json-java_project:json-java:1.3:*:*:*:*:*:*:*) : CVE-2023-5072
https://nvd.nist.gov/vuln/detail/CVE-2023-5072
Looks like a mismatch/false positive: the library actually affected is https://github.com/stleary/JSON-java which Magnolia doesn't use.
The btf dependency erroneously reported as vulnerable comes transitively via
[INFO] | +- info.magnolia.rest:magnolia-rest-integration:jar:2.2.23-SNAPSHOT:compile [INFO] | | +- org.jboss.resteasy:resteasy-jackson2-provider:jar:5.0.8.Final:compile [INFO] | | | +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.13.5:compile [INFO] | | | \- com.github.java-json-tools:json-patch:jar:1.13:compile [INFO] | | | +- com.github.java-json-tools:msg-simple:jar:1.2:compile [INFO] | | | | \- com.github.java-json-tools:btf:jar:1.3:compile
Acceptance criteria