Uploaded image for project: 'Build'
  1. Build
  2. BUILD-1162

Dismiss CVE mismatch about java-json-tools btf

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Neutral Neutral
    • None
    • None
    • None
    • Yes 

      One or more dependencies were identified with known vulnerabilities in Magnolia DX Core webapp: 

btf-1.3.jar (cpe:2.3:a:json-java_project:json-java:1.3:*:*:*:*:*:*:*) : CVE-2023-5072

      https://nvd.nist.gov/vuln/detail/CVE-2023-5072

      Looks like a mismatch/false positive: the library actually affected is https://github.com/stleary/JSON-java which Magnolia doesn't use.
      The btf dependency erroneously reported as vulnerable comes transitively via 

      [INFO] |  +- info.magnolia.rest:magnolia-rest-integration:jar:2.2.23-SNAPSHOT:compile
[INFO] |  |  +- org.jboss.resteasy:resteasy-jackson2-provider:jar:5.0.8.Final:compile
[INFO] |  |  |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.13.5:compile
[INFO] |  |  |  \- com.github.java-json-tools:json-patch:jar:1.13:compile
[INFO] |  |  |     +- com.github.java-json-tools:msg-simple:jar:1.2:compile
[INFO] |  |  |     |  \- com.github.java-json-tools:btf:jar:1.3:compile

        Acceptance criteria

              fgrilli Federico Grilli
              fgrilli Federico Grilli
              Christian Lange
              Foundation
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved:
                Work Started:

                  Task DoR