-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
repave dependencies #760
base: master
Are you sure you want to change the base?
repave dependencies #760
Conversation
📦 Vulnerable Dependencies✍️ Summary
🔬 Research Details |
at 📦🔍 Contextual Analysis CVE Vulnerability
DescriptionThe scanner checks for calls to the vulnerable functions with external input:
For determining the applicability of this CVE, an additional condition (that the scanner currently does not check) should be verified: The input argument to those functions is a cyclic object (e.g. a CVE detailsAn issue was discovered jackson-databind thru 2.15.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies. |
the jackson-databind vulnerability is rejected by jackson team - see FasterXML/jackson-databind#3972 suggest you need to whitelist this dependency (as has been done at my employer in a similar dep scanning tool) |
Thanks for your contribution, @gregallen! It appears that all Gradle tests are failing. You can check out the details here: https://github.com/jfrog/build-info/actions/runs/6308986191/job/17137306523?pr=760 Would you be able to take a look? |
I have read the CLA Document and I hereby sign the CLA