[BUILD-491] Mismatched vulnerabilities reported by CVE scan Created: 17/Aug/21 Updated: 17/Aug/21 Resolved: 17/Aug/21 |
|
| Status: | Closed |
| Project: | Build |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | Build Resources 1.6.11, POMs 42 |
| Type: | Task | Priority: | Neutral |
| Reporter: | Federico Grilli | Assignee: | Federico Grilli |
| Resolution: | Done | Votes: | 0 |
| Labels: | artt, maintenance, security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Template: |
|
| Acceptance criteria: |
Empty
|
| Task DoR: |
Empty
|
| Story Points: | 1 |
| Description |
|
One or more dependencies were identified with known vulnerabilities in Magnolia DX Core webapp by CVE scan (see list below). Luckily for us they're just mismatches: https://nvd.nist.gov/vuln/detail/CVE-2020-36460 and https://nvd.nist.gov/vuln/detail/CVE-2020-36448 concern some Rust library Magnolia doesn't use. They'll be added to https://git.magnolia-cms.com/projects/BUILD/repos/poms/browse/build-resources/src/main/resources/magnolia-build-resources/dependency-check-mismatches-suppression.xml and also temporarily suppressed in dx-core (until next parent pom release). kie-dmn-api-7.33.0.Final.jar (pkg:maven/org.kie/kie-dmn-api@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460 kie-dmn-feel-7.33.0.Final.jar (pkg:maven/org.kie/kie-dmn-feel@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460 kie-dmn-model-7.33.0.Final.jar (pkg:maven/org.kie/kie-dmn-model@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460 kie-dmn-core-7.33.0.Final.jar (pkg:maven/org.kie/kie-dmn-core@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460 kie-dmn-backend-7.33.0.Final.jar (pkg:maven/org.kie/kie-dmn-backend@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460 drools-canonical-model-7.33.0.Final.jar (pkg:maven/org.drools/drools-canonical-model@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*, cpe:2.3:a:redhat:drools:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460 pmml-model-1.4.11.jar (pkg:maven/org.jpmml/pmml-model@1.4.11, cpe:2.3:a:model_project:model:1.4.11:*:*:*:*:*:*:*) : CVE-2020-36460 pmml-agent-1.4.11.jar (pkg:maven/org.jpmml/pmml-agent@1.4.11, cpe:2.3:a:model_project:model:1.4.11:*:*:*:*:*:*:*) : CVE-2020-36460 kie-soup-project-datamodel-commons-7.33.0.Final.jar (pkg:maven/org.kie.soup/kie-soup-project-datamodel-commons@7.33.0.Final, cpe:2.3:a:model_project:model:7.33.0:*:*:*:*:*:*:*) : CVE-2020-36460 magnolia-cache-core-5.9.4.jar (pkg:maven/info.magnolia.cache/magnolia-cache-core@5.9.4, cpe:2.3:a:cache_project:cache:5.9.4:*:*:*:*:*:*:*) : CVE-2020-36448 magnolia-advanced-cache-2.3.4.jar (pkg:maven/info.magnolia.advancedcache/magnolia-advanced-cache@2.3.4, cpe:2.3:a:cache_project:cache:2.3.4:*:*:*:*:*:*:*) : CVE-2020-36448 magnolia-advanced-cache-app-2.3.4.jar (pkg:maven/info.magnolia.advancedcache/magnolia-advanced-cache-app@2.3.4, cpe:2.3:a:cache_project:cache:2.3.4:*:*:*:*:*:*:*) : CVE-2020-36448 magnolia-advanced-cache-dpc-2.3.4.jar (pkg:maven/info.magnolia.advancedcache/magnolia-advanced-cache-dpc@2.3.4, cpe:2.3:a:cache_project:cache:2.3.4:*:*:*:*:*:*:*) : CVE-2020-36448 magnolia-advanced-cache-personalization-2.3.4.jar (pkg:maven/info.magnolia.advancedcache/magnolia-advanced-cache-personalization@2.3.4, cpe:2.3:a:cache_project:cache:2.3.4:*:*:*:*:*:*:*) : CVE-2020-36448 |