-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency check shows vulnerabilities in dependent packages #473
Comments
Please note that a new Dependency Check report is now available, generated by running Dependency-Check Report |
In the above report, the dependencies CVE-2017-8359 CVE-2017-9431 CVE-2020-7768 Conclusion |
The script in #480 produces the dependency graph below for all the vulnerabilities mentioned in the Dependency Check report except All packages with listed vulnerabilities except The graph above can be reproduced with |
Like the comment above regarding Dependency Check's confusion of |
The last remaining dependency vulnerability in the second Dependency Check report that is not addressed in the comments above is the one relating to Prometheus. Only
The The deployment in this repo does create a Prometheus instance, however, from the Therefore, I believe the Prometheus vulnerability listed in the latest Dependency Check is not applicable to this repo. |
Since it appears that Dependency Check does not reveal any exploitable vulnerabilities as of 5f2f60a, reducing the priority of this issue to a P2. |
A dependency check as of Jan 12 2021 shows vulnerabilities in package dependencies (both direct and indirect). Most of these vulnerabilities are fixed in later versions, and can therefore be addressed by updating referenced package versions.
Dependency-Check Report.pdf
The text was updated successfully, but these errors were encountered: