Address commons-io vuln
Closed this issue · 2 comments
metametadata commented
Grype detects the next vuln in root/.lein/self-installs/leiningen-2.11.2-standalone.jar
:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
commons-io 2.8.0 2.14.0 java-archive GHSA-78wr-2p64-hpwj High
Would be nice to update Lein to not trigger this report.
technomancy commented
This isn't relevant to Leiningen's use of commons-io, which does not operate on untrusted input. If an attacker can replace XML in a repository you read from, they can do much worse than consume CPU!
metametadata commented
I understand, it's common case with vulns that they are unreachable. But why not bump the dep simply to get rid of this report in all the consumers' automated pipelines?