owasp check failed #1465
Comments
|
This will be in the next release |
|
Some more: lucene CVE-2024-45772 and javax.json CVE-2023-7272. For lucene dep I use version 9.12.0 now with stanford, seems to be working fine (but all I do is |
|
if i update javax.json to https://repo1.maven.org/maven2/org/glassfish/jakarta.json/1.1.6/ do you know if that will solve your problems with that library? i have no idea what effect updating to 2.... would have |
|
the lucene stuff is for a specific package which we're not sure too many people use (@manning wants me to delete it entirely) |
|
for lucene, what about the 7.7.3 series? again i feel wary bumping the major version number without actually knowing anything about the package that uses it https://mvnrepository.com/artifact/org.apache.lucene/lucene-core/7.7.3 but if that still has security problems then i guess it's time to do something bigger |
|
Perhaps, but I think that version has the vulnerability as well. There will
probably be some impact here. But it could be that the way Stanford uses
lucene doesn't expose the vulnerability.
Op wo 9 okt. 2024 01:53 schreef John Bauer ***@***.***>:
… for lucene, what about the 7.7.3 series? again i feel wary bumping the
major version number without actually knowing anything about the package
that uses it
https://mvnrepository.com/artifact/org.apache.lucene/lucene-core/7.7.3
but if that still has security problems then i guess it's time to do
something bigger
—
Reply to this email directly, view it on GitHub
<#1465 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACN2KKCRYJD4BFIWT7WNREDZ2RWBBAVCNFSM6AAAAABORRMB2WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMBRGAYDMNZYGA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
My build shows:
[ERROR] protobuf-java-3.19.6.jar: CVE-2024-7254(8.699999809265137)
Can you please update xthis dependency?
The text was updated successfully, but these errors were encountered: