search

afs / rdf-delta

A system to propagate changes between RDF Datasets
https://afs.github.io/rdf-delta/
Apache License 2.0
71 stars 14 forks source link

Vulnerabilities in rdf-delta-server JAR #324

Closed lalewis1 closed 2 months ago

lalewis1 commented 2 months ago

Hi All,

Thanks for the wonderful software.

We have been using the rdf-delta-server jar as part of some of our projects but recent vulnerability scanning has revealed some vulnerabilities.

specifically they are to do with the following packages as reported by Trivy:

image

The zookeeper and logback vulnerabilities need to be fixed by bumping the curator-test dependencies to newer versions. (I am in the process of signing up for a JIRA account so that I can log an issue for this with curator.apache.org)

But the amazon jdk dependency looks like it can be bumped in the dependencies of this repository.

https://mvnrepository.com/artifact/com.amazonaws/aws-java-sdk-s3

Link shows that a newer version exists with the vulnerability patched.

Anyway thanks for any assistance, and let me know if you would like more details.

afs commented 2 months ago

Hi Lawson,

Thanks for report.

Updating com.amazonaws:aws-java-sdk-s3 to 1.12.767 drops the ion-java dependency.

Putting in a direct dependency on zookeeper will address the Curator dependency on ZooKeeper. There will be a warning still show if the Versions Maven Plugin is used, it does not respect the maven resolution rules, but the RDF Delta choice will be used.

The project does have dependabot turned on.

lalewis1 commented 2 months ago

Awesome, thanks Andy :)

and I was not aware of dependabot, very cool.