blagerweij
commented
1 year ago Thanks for reporting this, the project does not have a dependency on that version of Liquibase, in fact it has no dependencies it uses. The github workflow runs integration tests with different versions of Liquibase core.
org.owasp:dependency-check-maven reports Vulnerability in latest version of liquibase-sessionlock
liquibase-sessionlock-1.6.4.jar (pkg:maven/com.github.blagerweij/liquibase-sessionlock@1.6.4, cpe:2.3:a:liquibase:liquibase:1.6.4:::::::*) : CVE-2022-0839
mvn -V dependency-check:aggregate -Pvulnerability-check