[BUILD-491] Mismatched vulnerabilities reported by CVE scan Created: 17/Aug/21  Updated: 17/Aug/21  Resolved: 17/Aug/21

Status: Closed
Project: Build
Component/s: None
Affects Version/s: None
Fix Version/s: Build Resources 1.6.11, POMs 42

Type: Task Priority: Neutral
Reporter: Federico Grilli Assignee: Federico Grilli
Resolution: Done Votes: 0
Labels: artt, maintenance, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Story Points: 1

 Description   

One or more dependencies were identified with known vulnerabilities in Magnolia DX Core webapp by CVE scan (see list below).

Luckily for us they're just mismatches: https://nvd.nist.gov/vuln/detail/CVE-2020-36460 and https://nvd.nist.gov/vuln/detail/CVE-2020-36448 concern some Rust library Magnolia doesn't use.

They'll be added to https://git.magnolia-cms.com/projects/BUILD/repos/poms/browse/build-resources/src/main/resources/magnolia-build-resources/dependency-check-mismatches-suppression.xml and also temporarily suppressed in dx-core (until next parent pom release).

kie-dmn-api-7.33.0.Final.jar (pkg:maven/org.kie/kie-dmn-api@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460  
kie-dmn-feel-7.33.0.Final.jar (pkg:maven/org.kie/kie-dmn-feel@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460
kie-dmn-model-7.33.0.Final.jar (pkg:maven/org.kie/kie-dmn-model@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460 
kie-dmn-core-7.33.0.Final.jar (pkg:maven/org.kie/kie-dmn-core@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460 
kie-dmn-backend-7.33.0.Final.jar (pkg:maven/org.kie/kie-dmn-backend@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460
drools-canonical-model-7.33.0.Final.jar (pkg:maven/org.drools/drools-canonical-model@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*, cpe:2.3:a:redhat:drools:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460
pmml-model-1.4.11.jar (pkg:maven/org.jpmml/pmml-model@1.4.11, cpe:2.3:a:model_project:model:1.4.11:*:*:*:*:*:*:*) : CVE-2020-36460 
pmml-agent-1.4.11.jar (pkg:maven/org.jpmml/pmml-agent@1.4.11, cpe:2.3:a:model_project:model:1.4.11:*:*:*:*:*:*:*) : CVE-2020-36460 
kie-soup-project-datamodel-commons-7.33.0.Final.jar (pkg:maven/org.kie.soup/kie-soup-project-datamodel-commons@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460 

magnolia-cache-core-5.9.4.jar (pkg:maven/info.magnolia.cache/magnolia-cache-core@5.9.4, cpe:2.3:a:cache_project:cache:5.9.4:*:*:*:*:*:*:*) : CVE-2020-36448 
magnolia-advanced-cache-2.3.4.jar (pkg:maven/info.magnolia.advancedcache/magnolia-advanced-cache@2.3.4, cpe:2.3:a:cache_project:cache:2.3.4:*:*:*:*:*:*:*) : CVE-2020-36448 
magnolia-advanced-cache-app-2.3.4.jar (pkg:maven/info.magnolia.advancedcache/magnolia-advanced-cache-app@2.3.4, cpe:2.3:a:cache_project:cache:2.3.4:*:*:*:*:*:*:*) : CVE-2020-36448 
magnolia-advanced-cache-dpc-2.3.4.jar (pkg:maven/info.magnolia.advancedcache/magnolia-advanced-cache-dpc@2.3.4, cpe:2.3:a:cache_project:cache:2.3.4:*:*:*:*:*:*:*) : CVE-2020-36448 
magnolia-advanced-cache-personalization-2.3.4.jar (pkg:maven/info.magnolia.advancedcache/magnolia-advanced-cache-personalization@2.3.4, cpe:2.3:a:cache_project:cache:2.3.4:*:*:*:*:*:*:*) : CVE-2020-36448

Generated at Sun Feb 11 23:42:21 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.