Current Behavior
current google.* dependencies use old versions with potential security vulnerabilities
[ERROR] Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.1.0:audit-aggregate (default-cli) on project nexus-proxy: Detected 2 vulnerable components: [ERROR] com.google.protobuf:protobuf-java:jar:3.0.2:compile; https://ossindex.sonatype.org/component/pkg:maven/com.google.protobuf/[email protected] [ERROR] * [CVE-2015-5237] Improper Restriction of Operations within the Bounds of a Memory Buffer (8.8); https://ossindex.sonatype.org/vuln/d47d20ab-eb2a-4cfd-8064-bbf6283649cb [ERROR] com.google.guava:guava:jar:20.0:compile; https://ossindex.sonatype.org/component/pkg:maven/com.google.guava/[email protected] [ERROR] * [CVE-2018-10237] Deserialization of Untrusted Data (5.9); https://ossindex.sonatype.org/vuln/24585a7f-eb6b-4d8d-a2a9-a6f16cc7c1d0
Expected behavior
regularly scan and update external dependencies for known vulnerabilities
Workaround
exclude the "optional" com.google.javascript:closure-compiler-unshaded from your project
ZK runs without it, it won't be able to generate source maps during development
maven:
<exclusions>
<exclusion>
<groupId>com.google.javascript</groupId>
<artifactId>closure-compiler-unshaded</artifactId>
</exclusion>
</exclusions>
gradle:
configurations {
implementation.exclude group: "com.google.javascript", module: "closure-compiler-unshaded"
}
- relates to
-
ZK-4562 Introduce OWASP Dependency-Check
-
- Closed
-
