Closed markusmuellerusi closed 3 months ago
Fair question.
We don't usually publish new releases to resolve vulnerable dependencies, unless the vulnerabilities are exploitable and have demonstratable impact. In this case, none of the vulnerabilities are exploitable. If you have contrary evidence, please let us know and we'll act accordingly.
The majority of these findings will be resolved in Dependency-Track v4.12.0. In particular the Jetty upgrade required a bit of refactoring (see #3730), so it is not feasible to include it in a bugfix release.
Thanks, that's fair enough.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Current Behavior
Dependency-Track contains some vulnerabilities caused by Alpine 2.2.5: How should this be handled without updating to Alpine 2.2.6 (not available) or 3.0.0-Snaphot?
Steps to Reproduce
Expected Behavior
Regular and shorter update interval for dependencies.
Dependency-Track Version
4.11.2
Dependency-Track Distribution
Executable WAR
Database Server
Microsoft SQL Server
Database Server Version
No response
Browser
Microsoft Edge
Checklist