Vulnerabilities caused by Alpine 2.2.5

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

https://dependencytrack.org/

Apache License 2.0

2.61k stars 552 forks source link

Vulnerabilities caused by Alpine 2.2.5 #3809

Closed markusmuellerusi closed 3 months ago

markusmuellerusi commented 3 months ago

Current Behavior

Dependency-Track contains some vulnerabilities caused by Alpine 2.2.5: How should this be handled without updating to Alpine 2.2.6 (not available) or 3.0.0-Snaphot?

Steps to Reproduce

Scan Dependency-Track source with Dependency-Track

Expected Behavior

Regular and shorter update interval for dependencies.

Dependency-Track Version

4.11.2

Dependency-Track Distribution

Executable WAR

Database Server

Microsoft SQL Server

Database Server Version

No response

Browser

Microsoft Edge

Checklist

[X] I have read and understand the contributing guidelines
[X] I have checked the existing issues for whether this defect was already reported

nscuro commented 3 months ago

Fair question.

We don't usually publish new releases to resolve vulnerable dependencies, unless the vulnerabilities are exploitable and have demonstratable impact. In this case, none of the vulnerabilities are exploitable. If you have contrary evidence, please let us know and we'll act accordingly.

The majority of these findings will be resolved in Dependency-Track v4.12.0. In particular the Jetty upgrade required a bit of refactoring (see #3730), so it is not feasible to include it in a bugfix release.

markusmuellerusi commented 3 months ago

Thanks, that's fair enough.

github-actions[bot] commented 2 months ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.