Vulnerability reporting inconsistency for CVE-2020-8908
stevemagness opened this issue · 4 comments
I noticed that CVE-2020-8908 is reported as a vulnerability in Maven for jimfs 1.1, but not for jimfs 1.2. It is actually a vulnerability in the Guava dependency which there is a long discussion about here.
Using OWASP Dependency Check, jimfs 1.2 still reports the vulnerability.
Which is correct, the Maven page or the OWASP tool? Essentially, is jimfs 1.2 vulnerable to that CVE in any way?
jimfs doesn't use the method in Guava that the CVEs are about. Now, part of the trouble has been is that it's somewhat unclear to us when different tools consider different projects to be "vulnerable," including that I'm not sure why the warning appears on only some versions of jimfs.
Given the apparent recent increase in warnings around the CVE, and given that Guava users have had plenty of time to migrate off the vulnerable method, we're hoping to make a change (within the next week or so??) that will be indisputably safe enough to eliminate all this. Fingers crossed....
(It turns out that, as far as I've been able to determine, we have no one with deploy permissions for jimfs who is not OOO for a bit. But I'm planning to make the release with the updated Guava dep as soon as that's no longer the case.)
I got permissions. I am trying to decide whether to wait to pull in Guava 32.1.1 before making a release. But I won't wait too long.
I released 1.3.0, which depends on a version of Guava new enough to avoid the vulnerability report. It's in Maven Central.