Vulnerable dependency commons-collections

TIBCOSoftware / jasperreports

JasperReports® - Free Java Reporting Library

https://community.jaspersoft.com/downloads/community-edition/

GNU Lesser General Public License v3.0

1.03k stars 397 forks source link

Vulnerable dependency commons-collections #424

Closed danielpeintner closed 6 months ago

danielpeintner commented 6 months ago

FYI: The IntelliJ IDE shows the following warning for the dependency net.sf.jasperreports:jasperreports:6.21.2

Provides transitive vulnerable dependency maven:commons-collections:commons-collections:3.2.2 Cx78f40514-81ff 7.5 Uncontrolled Recursion vulnerability with High severity found Results powered by Checkmarx(c)

see https://devhub.checkmarx.com/cve-details/Cx78f40514-81ff/

teodord commented 6 months ago

We are not familiar with the checkmarx.com CVE database. We are using an OWASP plugin to regularily check for CVEs and also Github has a scanner which raises CVE notifications for us on a regular basis. The CVE you mentioned is from 2018 and did not surface yet on OWASP or Github, so we are going to ignore it for now. There is nothing we can do about it anyway because Commons Collections 3 is required by Digester and we cannot upgrade or get rid of digester. At least not yet.