OWASP Dependency check...
Mike-Huggins opened this issue · 2 comments
Hello,
I am getting critical failures from owasp dependency checker and I wondered if there were any plans for a new release to combat these please? Obviously this is the recommended reactive database drivers for mysql from here: https://spring.io/projects/spring-data-r2dbc.
Or if this repo is not as active should I migrate code to the other option: https://github.com/jasync-sql/jasync-sql
The dependency failures for your awareness are:
netty-tcnative-classes-2.0.48.Final.jar: CVE-2021-43797, CVE-2019-16869, CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, CVE-2021-21290
netty-incubator-codec-classes-quic-0.0.25.Final.jar: CVE-2021-43797, CVE-2019-16869, CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, CVE-2021-21290
Have you noticed that most of the reported CVE's describe HTTP or compression-related components? None of these apply to the driver because the driver isn't using HTTP, BZIP, or Snappy.
In any case, please upgrade the Netty version in your project to avoid dependency checker warnings.
Thank you for the very speedy response. Unfortunately I am on the latest version of netty 4.1.74.Final and latest dependency checker. Perhaps I need to raise this with them...