search

cucumber / cucumber-eclipse

Eclipse plugin for Cucumber
MIT License
190 stars 147 forks source link

Jackson databind CVE-2019-14893 due to inclusion of old datatable-dependencies #482

Open deckaddict opened 1 year ago

deckaddict commented 1 year ago

👓 What did you see?

When using tools such as XRay looking for vulnerabilities it triggers on the cucumber-eclipse plugin due to the inclusion of datatable-dependencies version 1.1.7 that is flagged as potentially vulnerable to CVE-2019-14893.

✅ What did you expect to see?

It is preferred to not see any warnings of this type since it is very time consuming to validate if it is a real issue or not for the usage of the tool.

📦 Which tool/library version are you using?

1.0.0.202110280427

🔬 How could we reproduce it?

Given this issue: https://github.com/cucumber/common/issues/679 I believe that it is enough to get up to the latest version of the datatables-dependencies.

📚 Any additional context?

It seems like datatable-dependencies 7.9.0 is the only version that has no known CVEs according: https://mvnrepository.com/artifact/io.cucumber/datatable/7.9.0

devisuresh commented 1 year ago

Please unsubscribe me from the mailing list

On Mon, 12 Dec, 2022, 2:47 PM deckaddict, @.***> wrote:

👓 What did you see?

When using tools such as XRay looking for vulnerabilities it triggers on the cucumber-eclipse plugin due to the inclusion of datatable-dependencies version 1.1.7 that is flagged as potentially vulnerable to CVE-2019-14893 https://github.com/advisories/GHSA-qmqc-x3r4-6v39. ✅ What did you expect to see?

It is preferred to not see any warnings of this type since it is very time consuming to validate if it is a real issue or not for the usage of the tool. 📦 Which tool/library version are you using?

1.0.0.202110280427 🔬 How could we reproduce it?

Given this issue: cucumber/common#679 https://github.com/cucumber/common/issues/679 I believe that it is enough to get up to the latest version of the datatables-dependencies. 📚 Any additional context?

Not that I can think of.

— Reply to this email directly, view it on GitHub https://github.com/cucumber/cucumber-eclipse/issues/482, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB4JOV4MIW5LT5UP2JPU6JTWM3UR3ANCNFSM6AAAAAAS3VY7P4 . You are receiving this because you are subscribed to this thread.Message ID: @.***>

britzl commented 1 year ago

@devisuresh https://github.com/watching