Dependencies catch-up / Q1 2022 #240

fgonzal · 2022-02-04T03:50:18Z

This PR is the result of running the OWASP dependency-check tool and addressing the vulnerabilities spotted in the report.

This is the OWASP Dependency-Check report after updating the references: dependency-check-report.html.zip

For those interested, the tool can be run locally by typing in the following command (provided you're at the project's root directory):
dependency-check --project "jPOS-EE" --scan="**/modules/**/build/install/**/**.jar" --format=HTML

(instructions on how to install it can be found here)

Back to the report, as you can see, it still shows 4 vulns. However:

a) one of them is a false-positive. The tool is confusing jposee-db-mysql-2.2.8.jar with mysql:mysql:2.2.8, thus the confidence rate of 'Low' for this item in the report. This vulnerability can be safely dismissed.

b) the other three are jPOS dependecies, so they can't be addressed in this project.

Apart from running the test suite locally, I went ahead and manually tried a local qi-core build in a couple of projects that use it. They both worked well.

fgonzal added 4 commits February 2, 2022 17:38

Bump Jetty version number to 9.4.44.v20210927.

f7c916e

Bump Guava version number to 31.0.1-jre.

22596eb

Bump MySQL driver version number to 8.0.28.

5efd850

Update references to Jackson databind, Netty and HTTP async client.

f4882c5

ar approved these changes Feb 9, 2022

View reviewed changes

ar merged commit 6fa4b0d into jpos:master Feb 9, 2022

fgonzal deleted the dependencies-february-2022 branch February 10, 2022 20:38

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dependencies catch-up / Q1 2022 #240

Dependencies catch-up / Q1 2022 #240

fgonzal commented Feb 4, 2022

Dependencies catch-up / Q1 2022 #240

Dependencies catch-up / Q1 2022 #240

Conversation

fgonzal commented Feb 4, 2022