[BUILD-1162] Dismiss CVE mismatch about java-json-tools btf Created: 20/Oct/23 Updated: 09/Jan/24 Resolved: 20/Oct/23 |
|
| Status: | Closed |
| Project: | Build |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Task | Priority: | Neutral |
| Reporter: | Federico Grilli | Assignee: | Federico Grilli |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Template: |
|
||||
| Acceptance criteria: |
Empty
|
||||
| Task DoR: |
Empty
|
||||
| Visible to: |
Christian Lange
|
||||
| Team: | |||||
| Work Started: | |||||
| Approved: |
Yes
|
||||
| Description |
One or more dependencies were identified with known vulnerabilities in Magnolia DX Core webapp: btf-1.3.jar (cpe:2.3:a:json-java_project:json-java:1.3:*:*:*:*:*:*:*) : CVE-2023-5072 https://nvd.nist.gov/vuln/detail/CVE-2023-5072 Looks like a mismatch/false positive: the library actually affected is https://github.com/stleary/JSON-java which Magnolia doesn't use. [INFO] | +- info.magnolia.rest:magnolia-rest-integration:jar:2.2.23-SNAPSHOT:compile [INFO] | | +- org.jboss.resteasy:resteasy-jackson2-provider:jar:5.0.8.Final:compile [INFO] | | | +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.13.5:compile [INFO] | | | \- com.github.java-json-tools:json-patch:jar:1.13:compile [INFO] | | | +- com.github.java-json-tools:msg-simple:jar:1.2:compile [INFO] | | | | \- com.github.java-json-tools:btf:jar:1.3:compile |