Library vulnerable to CVE-2017-5929
Opened this issue · 3 comments
This library has been identified as vulnerable to CVE-2017-5929, this is listed as a Critical severity issue. Please can this be resolved.
see https://nvd.nist.gov/vuln/detail/CVE-2017-5929
Found using dependency-check-maven https://jeremylong.github.io/DependencyCheck/dependency-check-maven/
This was a false positive.
Fixed in
jeremylong/DependencyCheck#2594
which will be DependencyCheck v5.4.0.
The workaround in lower versions of DC is to define the suppression manually.
Here is sample suppression file:
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress base="true">
<notes><![CDATA[
FP per #2594
]]></notes>
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/.*$</packageUrl>
<cpe>cpe:/a:logback:logback</cpe>
</suppress>
</suppressions>
I thought it would be necessary to upgrade ch.qos.logback dependencies from v1.1.3 to v1.2.0 ?
I second that this should depend on logback 1.2.0 in order to fix that vulnerability.
Are there any plans to update the dependency?