Vulnerabilities in flyway 9.40

[jmcruz1983]

Following vulnerabilities are being reported by docker image scans:

Java (jar)
==========
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 1)

+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
|                   LIBRARY                   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |         FIXED VERSION          |                 TITLE                 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| com.fasterxml.jackson.core:jackson-databind | CVE-2022-42003   | HIGH     | 2.13.2.1          | 2.14.0-rc1                     | In FasterXML jackson-databind before  |
|                                             |                  |          |                   |                                | 2.14.0-rc1, resource exhaustion c ... |
|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2022-42003 |
+                                             +------------------+          +                   +--------------------------------+---------------------------------------+
|                                             | CVE-2022-42004   |          |                   | 2.13.4                         | In FasterXML jackson-databind before  |
|                                             |                  |          |                   |                                | 2.13.4, resource exhaustion can o ... |
|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2022-42004 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| com.google.protobuf:protobuf-java           | CVE-2022-3171    | MEDIUM   | 3.21.4            | 3.16.3, 3.19.6, 3.20.3, 3.21.7 | [potential denial of service issue    |
|                                             |                  |          |                   |                                | in the Java Protobuf runtime]         |
|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2022-3171  |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| org.hsqldb:hsqldb                           | CVE-2022-41853   | CRITICAL | 2.6.1             | 2.7.1                          | Those using java.sql.Statement        |
|                                             |                  |          |                   |                                | or java.sql.PreparedStatement         |
|                                             |                  |          |                   |                                | in hsqldb ...                         |
|                                             |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2022-41853 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+

[holophil]

Is this by any change a cause for #109 ?
So like docker images won't get released with active vulnerabilities?

[onnobgd]

In addition Trivy 0.26 is reporting this critical:

CVE-2022-40674
package: expat
current version: 2.4.8-r0
fix version: 2.4.9-r0

[DoodleBobBuffPants]

Closing in favor of flyway/flyway#3538