CVE-2021-42550: transitive dependency out outdated logback

binkley commented 2 years ago

$ ./gradlew clean build

Build says:

> Task :dependencyCheckAnalyze
Verifying dependencies for project kotlin-magic-bus
Checking for updates and analyzing dependencies for vulnerabilities
Generating report for project kotlin-magic-bus
Found 2 vulnerabilities in project kotlin-magic-bus

One or more dependencies were identified with known vulnerabilities in kotlin-magic-bus:

logback-classic-1.3.0.jar (pkg:maven/ch.qos.logback/logback-classic@1.3.0, cpe:2.3:a:qos:logback:1.3.0:*:*:*:*:*:*:*) : CVE-2021-42550
logback-core-1.3.0.jar (pkg:maven/ch.qos.logback/logback-core@1.3.0, cpe:2.3:a:qos:logback:1.3.0:*:*:*:*:*:*:*) : CVE-2021-42550

Checking dependencies says:

ktlint - Main ktlint-gradle configuration
\--- com.pinterest:ktlint:0.47.1
     +--- ch.qos.logback:logback-classic:1.3.0
     |    +--- ch.qos.logback:logback-core:1.3.0

JLLeitschuh commented 2 years ago

This is a vulnerability in ktlint directly and not this plugin specifically. I suggest reporting this upstream

wakingrufus commented 1 year ago

New versions of ktlint have been released that depend on a newer version of logback, so upgrading to one of those will solve this issue

JLLeitschuh / ktlint-gradle

CVE-2021-42550: transitive dependency out outdated logback #606