[BUILD-641] Dismiss CVE-2021-40111 and others related to Apache James server Created: 13/Jan/22 Updated: 17/Jan/22 Resolved: 14/Jan/22 |
|
| Status: | Closed |
| Project: | Build |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | POMs 44, Build Resources 1.6.13 |
| Type: | Task | Priority: | Neutral |
| Reporter: | Federico Grilli | Assignee: | Federico Grilli |
| Resolution: | Done | Votes: | 0 |
| Labels: | foundation_team, security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Template: |
|
| Acceptance criteria: |
Empty
|
| Task DoR: |
Empty
|
| Description |
[ERROR] One or more dependencies were identified with vulnerabilities:}} [ERROR] apache-mime4j-core-0.8.3.jar: CVE-2021-40111, CVE-2021-40110, CVE-2021-38542, CVE-2021-40525 The CVEs all concern the Apache James server itself https://github.com/apache/james-project not the libraries used indirectly by Magnolia, namely apache-mime4j-dom, apache-mime4j-core and apache-mime4j-storage (all separate submodules of james-mime4, independent from James server itself, see https://github.com/apache/james-mime4j). As such, I would dismiss the CVEs as false positives. [INFO] | +- info.magnolia.rest:magnolia-rest-services:jar:2.2.11-SNAPSHOT:compile [INFO] | | +- io.swagger.core.v3:swagger-annotations:jar:2.1.11:compile [INFO] | | \- org.jboss.resteasy:resteasy-multipart-provider:jar:4.6.1.Final:compile [INFO] | | +- com.sun.mail:jakarta.mail:jar:1.6.5:compile [INFO] | | +- org.apache.james:apache-mime4j-dom:jar:0.8.3:compile [INFO] | | | \- org.apache.james:apache-mime4j-core:jar:0.8.3:compile [INFO] | | +- org.apache.james:apache-mime4j-storage:jar:0.8.3:compile |