-
Task
-
Resolution: Done
-
Neutral
-
None
-
None
-
-
Empty show more show less
-
Empty show more show less
-
1
One or more dependencies were identified with known vulnerabilities in Magnolia DX Core webapp by CVE scan (see list below).
Luckily for us they're just mismatches: https://nvd.nist.gov/vuln/detail/CVE-2020-36460 and https://nvd.nist.gov/vuln/detail/CVE-2020-36448 concern some Rust library Magnolia doesn't use.
They'll be added to https://git.magnolia-cms.com/projects/BUILD/repos/poms/browse/build-resources/src/main/resources/magnolia-build-resources/dependency-check-mismatches-suppression.xml and also temporarily suppressed in dx-core (until next parent pom release).
kie-dmn-api-7.33.0.Final.jar (pkg:maven/org.kie/kie-dmn-api@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460 kie-dmn-feel-7.33.0.Final.jar (pkg:maven/org.kie/kie-dmn-feel@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460 kie-dmn-model-7.33.0.Final.jar (pkg:maven/org.kie/kie-dmn-model@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460 kie-dmn-core-7.33.0.Final.jar (pkg:maven/org.kie/kie-dmn-core@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460 kie-dmn-backend-7.33.0.Final.jar (pkg:maven/org.kie/kie-dmn-backend@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460 drools-canonical-model-7.33.0.Final.jar (pkg:maven/org.drools/drools-canonical-model@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*, cpe:2.3:a:redhat:drools:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460 pmml-model-1.4.11.jar (pkg:maven/org.jpmml/pmml-model@1.4.11, cpe:2.3:a:model_project:model:1.4.11:*:*:*:*:*:*:*) : CVE-2020-36460 pmml-agent-1.4.11.jar (pkg:maven/org.jpmml/pmml-agent@1.4.11, cpe:2.3:a:model_project:model:1.4.11:*:*:*:*:*:*:*) : CVE-2020-36460 kie-soup-project-datamodel-commons-7.33.0.Final.jar (pkg:maven/org.kie.soup/kie-soup-project-datamodel-commons@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460 magnolia-cache-core-5.9.4.jar (pkg:maven/info.magnolia.cache/magnolia-cache-core@5.9.4, cpe:2.3:a:cache_project:cache:5.9.4:*:*:*:*:*:*:*) : CVE-2020-36448 magnolia-advanced-cache-2.3.4.jar (pkg:maven/info.magnolia.advancedcache/magnolia-advanced-cache@2.3.4, cpe:2.3:a:cache_project:cache:2.3.4:*:*:*:*:*:*:*) : CVE-2020-36448 magnolia-advanced-cache-app-2.3.4.jar (pkg:maven/info.magnolia.advancedcache/magnolia-advanced-cache-app@2.3.4, cpe:2.3:a:cache_project:cache:2.3.4:*:*:*:*:*:*:*) : CVE-2020-36448 magnolia-advanced-cache-dpc-2.3.4.jar (pkg:maven/info.magnolia.advancedcache/magnolia-advanced-cache-dpc@2.3.4, cpe:2.3:a:cache_project:cache:2.3.4:*:*:*:*:*:*:*) : CVE-2020-36448 magnolia-advanced-cache-personalization-2.3.4.jar (pkg:maven/info.magnolia.advancedcache/magnolia-advanced-cache-personalization@2.3.4, cpe:2.3:a:cache_project:cache:2.3.4:*:*:*:*:*:*:*) : CVE-2020-36448
Acceptance criteria