nvankampenhout
commented
1 year ago Thanks for the feedback @erictheun , there may have been an internal miscommunication about this. I'll check with the engineering team.
Closed erictheun closed 1 year ago
nvankampenhout
commented
1 year ago Thanks for the feedback @erictheun , there may have been an internal miscommunication about this. I'll check with the engineering team.
nvankampenhout
commented
1 year ago I reverted the last update to the documentation page that added the sentence mentioning the fix versions, it appears that this was a mistake. Apologies and thanks for the heads-up!
https://xmdocumentation.bloomreach.com/library/concepts/security/h2-vulnerability-false-positive.html
As of brXM versions 13.4.19, 14.7.9, 15.1.1, and 15.2.0, the scope of the H2 dependencies has been changed so that no H2 libraries are included when creating a project distribution. Please upgrade your implementation project to the latest brXM version if you haven't already.
The statement above from the documentation is not correct.
I understood that we could consider it as a false-positive because it is not used in the production environment when using postgres or mysql. We will act accordingly and mark it false-positive in our vulnerability scanner. Imo, you should update the documentation that the h2 jar is still included in the distribution container image in version 15.2.2.
Greetings, Eric