Hello, we found a vulnerable dependency in your project

Hi! We spot a vulnerable dependency in your project, which might threaten your software. And we found that the vulnerable function of this CVE can be easily accessed from your software, there is no constraint along the invocation path to the vulnerable function.

CVE_ID: CVE-2021-29425
Vulnerable dependency: commons-io:commons-io
Vulnerable function: getPrefixLength(java.lang.String)

Invocation path to the vulnerable method:

org.apache.royale.compiler.internal.tree.mxml.MXMLNodeBase:resolveSourceAttributePath(org.apache.royale.compiler.internal.tree.mxml.MXMLTreeBuilder,org.apache.royale.compiler.mxml.IMXMLTagAttributeData,org.apache.royale.compiler.internal.tree.mxml.MXMLNodeBase$MXMLNodeInfo)
⬇️
org.apache.commons.io.FilenameUtils:concat(java.lang.String,java.lang.String)
⬇️
org.apache.commons.io.FilenameUtils:getPrefixLength(java.lang.String)

Therefore, maybe you need to upgrade this dependency. Hope this can help you! 😄

apache / royale-compiler

Hello, we found a vulnerable dependency in your project #218