search

asyncer-io / r2dbc-mysql

Reactive Relational Database Connectivity for MySQL. The official successor to mirromutth/r2dbc-mysql(dev.miku:r2dbc-mysql).
https://r2dbc.io
Apache License 2.0
195 stars 21 forks source link

[bug] owasp dependency check fails #148

Closed gkecskemjlr closed 11 months ago

gkecskemjlr commented 11 months ago

Describe the bug When running a dependency check on a project that depends on this project, the dependency check fails.

To Reproduce Add the dependency to the pom:

        <dependency>
            <groupId>io.asyncer</groupId>
            <artifactId>r2dbc-mysql</artifactId>
            <version>1.0.3</version>
        </dependency>

Add owasp dependency check to the pom's build plugins section:

            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>8.4.0</version>
                <configuration>
                    <failBuildOnCVSS>4</failBuildOnCVSS>
                    <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
                </configuration>
                <executions>
                    <execution>
                        <goals>
                            <goal>check</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>

Run: mvn dependency-check:check

Expected behavior There should not be any security issues raised.

Current result: r2dbc-mysql-1.0.3.jar (pkg:maven/io.asyncer/r2dbc-mysql@1.0.3, cpe:2.3:a:mysql:mysql:1.0.3:*:*:*:*:*:*:*) : CVE-2017-15945, CVE-2009-4028, CVE-2010-1621, CVE-2007-2691, CVE-2015-2575, CVE-2007-5925, CVE-2009-0819, CVE-2010-3677, CVE-2010-3682, CVE-2010-1626, CVE-2007-1420

jchrys commented 11 months ago

Thank you very much for bringing up this issue. It appears to be a false positive. I have just created a ticket for it. You can find the ticket here: link.

jchrys commented 11 months ago

Resolved