search

OHDSI / WhiteRabbit

WhiteRabbit is a small application that can be used to analyse the structure and contents of a database as preparation for designing an ETL. It comes with RabbitInAHat, an application for interactive design of an ETL to the OMOP Common Data Model with the help of the the scan report generated by White Rabbit.
http://ohdsi.github.io/WhiteRabbit
Apache License 2.0
174 stars 85 forks source link

[Snyk] Fix for 6 vulnerabilities #285

Closed MaximMoinat closed 3 years ago

MaximMoinat commented 3 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Upgrade Breaking Change Exploit Maturity
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Information Exposure
SNYK-JAVA-COMMONSCODEC-561518		 org.apache.poi:poi:
3.17 -> 4.1.1
org.apache.poi:poi-excelant:
3.17 -> 5.0.0
org.apache.poi:poi-ooxml:
3.17 -> 4.1.1
Yes No Known Exploit
low severity 399/1000
Why? Has a fix available, CVSS 3.7		 Arbitrary Code Injection
SNYK-JAVA-ORGAPACHEANT-1015405		 org.apache.poi:poi-excelant:
3.17 -> 5.0.0
Yes No Known Exploit
medium severity 539/1000
Why? Has a fix available, CVSS 6.5		 Insecure Default
SNYK-JAVA-ORGAPACHEANT-569130		 org.apache.poi:poi-excelant:
3.17 -> 5.0.0
Yes No Known Exploit
medium severity 464/1000
Why? Has a fix available, CVSS 5		 XML External Entity (XXE) Injection
SNYK-JAVA-ORGAPACHEPOI-548686		 org.apache.poi:poi-excelant:
3.17 -> 5.0.0
org.apache.poi:poi-ooxml:
3.17 -> 4.1.1
Yes No Known Exploit
high severity 629/1000
Why? Has a fix available, CVSS 8.3		 XML External Entity (XXE) Injection
SNYK-JAVA-ORGAPACHEXMLBEANS-1060048		 org.apache.poi:poi-excelant:
3.17 -> 5.0.0
org.apache.poi:poi-ooxml:
3.17 -> 4.1.1
org.apache.poi:poi-ooxml-schemas:
3.9 -> 4.0.0
org.apache.xmlbeans:xmlbeans:
2.3.0 -> 3.0.0
Yes No Known Exploit
high severity 635/1000
Why? Has a fix available, CVSS 8.2		 XML External Entity (XXE) Injection
SNYK-JAVA-ORGPOSTGRESQL-571481		 org.postgresql:postgresql:
42.2.5 -> 42.2.13
No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

MaximMoinat commented 3 years ago

XmlBeans version update gives too many problems because of interplay with apache poi