commons-io:commons-io:2.7 is Flagged in XRay Scan

snackerphi commented 1 year ago

Describe the bug

XRay scan is flagging commons-io:commons-io:2.7 as vulnerable to a divide-by-zero DoS attack. Issue in com.ibm.cloud:sdk-core

To Reproduce

Expected behavior

No vulnerabilities in dependent libraries

Screenshots

Must gather (please complete the following information):

SDK Version: 0.7.0
Java Version: openjdk version "17.0.2" 2022-01-18
Name of service that you're trying to use (if applicable)
Name of operation that you're trying to invoke (if applicable)

Additional context

emlaver commented 1 year ago

@snackerphi thanks for reporting this. Given that you've opened a ticket in java-sdk-core, it's best to wait for an update in that repo and then we'll get the core dependabot PR here.

Also, we don't have an SDK version 17.0.2. I'm assuming you meant the latest version 0.7.0.

snackerphi commented 1 year ago

Oops... yes. I've corrected that.

snackerphi commented 1 year ago

@emlaver , just FYI, this has been fixed in java-sdk-core version 9.18.6.

ricellis commented 1 year ago

https://github.com/IBM/cloudant-java-sdk/releases/tag/v0.7.1

IBM / cloudant-java-sdk

commons-io:commons-io:2.7 is Flagged in XRay Scan #478