Closed maxkohne closed 11 months ago
@mattmook not sure if you are aware of this issue, but the version on maven is very out of date compared to Github. Looks like CI is experiencing the error below. Could we get some eyes on this?
Dependency-Analyze Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS score greater than '0.0': CVE-2023-3635
See the dependency-check report for more details.
Looking to address this shortly. OkHttp has a new vulnerability against it so the build is failing. I was originally waiting to see if OkHttp would release an update - but alas not.
Regarding the 70 day window - this only matters if you cannot retrieve an up-to-date log list, i.e the 70 days is from the time of the last cached log list.
@mattmook - terrific! Thank you for looking into this!
Right now, this lib is automatically updated on this repo with updated log list dates. However, the last version to successfully get pushed to Maven is
v2.5.6
. Every subsequent update isn't passing CI (https://github.com/appmattus/certificatetransparency/actions).According to your comment here, after 70 days, CT is disabled. Since we cannot get the latest versions, everyone will be hitting this 70 day window since we cannot update the library.