This repository has been archived by the owner on Apr 23, 2024. It is now read-only.
Library vulnerable to CVE-2017-5929 #25
Comments
|
This was a false positive. The workaround in lower versions of DC is to define the suppression manually. <?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress base="true">
<notes><![CDATA[
FP per #2594
]]></notes>
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/.*$</packageUrl>
<cpe>cpe:/a:logback:logback</cpe>
</suppress>
</suppressions> |
|
I thought it would be necessary to upgrade ch.qos.logback dependencies from v1.1.3 to v1.2.0 ? |
|
I second that this should depend on logback 1.2.0 in order to fix that vulnerability. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
This library has been identified as vulnerable to CVE-2017-5929, this is listed as a Critical severity issue. Please can this be resolved.
see https://nvd.nist.gov/vuln/detail/CVE-2017-5929
Found using dependency-check-maven https://jeremylong.github.io/DependencyCheck/dependency-check-maven/
The text was updated successfully, but these errors were encountered: