Fix security issue SNYK-JAVA-COMGITHUBJNR-1570422 by upgrading jnr-unixsocket

[marko-asplund]

Snyk scan for my service reports the following vulnerability:

  ✗ Use After Free [High Severity][https://snyk.io/vuln/SNYK-JAVA-COMGITHUBJNR-1570422] in com.github.jnr:jnr-posix@3.0.61
    introduced by com.foo:barlib_2.13@0.1.0-SNAPSHOT > com.avast.cloud:datadog4s-statsd_2.13@0.31.1 > com.datadoghq:java-dogstatsd-client@3.0.0 > com.github.jnr:jnr-unixsocket@0.36 > com.github.jnr:jnr-posix@3.0.61 and 2 other path(s)
  This issue was fixed in versions: 3.1.8

Address this issue by upgrading jnr-unixsocket to v0.38.15 that in turn depends on jnr-posix v3.1.14.

[vickenty]

Thank you! We are aware of this issue, but unfortunately we can not update jnr-unixsocket version because it drops Java 7 support.

The good news is that java-dogstatsd-client is not affected by this vulnerability, as jnr-unixsocket does not use the affected function of jnr-posix.

We are looking into ways to improve the situation, but simply upgrading the dependency is not possible, so I'm going to close this.

[marko-asplund]

Thanks 👍 Does an issue for this exist, so I could get subscribe and notified when this gets resolved?