[BUILD-641] Dismiss CVE-2021-40111 and others related to Apache James server Created: 13/Jan/22  Updated: 17/Jan/22  Resolved: 14/Jan/22

Status: Closed
Project: Build
Component/s: None
Affects Version/s: None
Fix Version/s: POMs 44, Build Resources 1.6.13

Type: Task Priority: Neutral
Reporter: Federico Grilli Assignee: Federico Grilli
Resolution: Done Votes: 0
Labels: foundation_team, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoR:
Empty

 Description   
[ERROR] One or more dependencies were identified with vulnerabilities:}}
[ERROR] apache-mime4j-core-0.8.3.jar: CVE-2021-40111, CVE-2021-40110, CVE-2021-38542, CVE-2021-40525

 
James stands for Java Apache Mail Enterprise Server. Magnolia inherits some James-related dependencies via swagger/resteasy.

The CVEs all concern the Apache James server itself https://github.com/apache/james-project not the libraries used indirectly by Magnolia, namely apache-mime4j-dom, apache-mime4j-core and apache-mime4j-storage (all separate submodules of james-mime4, independent from James server itself, see https://github.com/apache/james-mime4j).

As such, I would dismiss the CVEs as false positives.

[INFO] |  +- info.magnolia.rest:magnolia-rest-services:jar:2.2.11-SNAPSHOT:compile
[INFO] |  |  +- io.swagger.core.v3:swagger-annotations:jar:2.1.11:compile
[INFO] |  |  \- org.jboss.resteasy:resteasy-multipart-provider:jar:4.6.1.Final:compile
[INFO] |  |     +- com.sun.mail:jakarta.mail:jar:1.6.5:compile
[INFO] |  |     +- org.apache.james:apache-mime4j-dom:jar:0.8.3:compile
[INFO] |  |     |  \- org.apache.james:apache-mime4j-core:jar:0.8.3:compile
[INFO] |  |     +- org.apache.james:apache-mime4j-storage:jar:0.8.3:compile

Generated at Sun Feb 11 23:43:46 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.