duo-universal-sdk v1.1.3 dependencies with vulnerabilities

duosecurity / duo_universal_java

Duo OIDC-based two-factor authentication for Java web applications

https://duo.com/docs/duoweb

Other

14 stars 21 forks source link

duo-universal-sdk v1.1.3 dependencies with vulnerabilities #28

Open SandraABM opened 3 months ago

SandraABM commented 3 months ago

I am using Java duo-universal-sdk v1.1.3 and getting vulnerabilities reported from dependencies.

Vulnerabilities I get reported in IntelliJ, and with syft/grype are:

com.fasterxml.jackson.core:jackson-core:2.3.2 com.fasterxml.jackson.core:jackson-databind:2.3.2 com.squareup.okhttp3:okhttp:3.14.19 com.squareup.okio:okio:1.17.2

Can you please investigate?

AaronAtDuo commented 2 months ago

The good news is, we have investigated those vulnerabilities and determined that we are not impacted by them.

The tricky part is that we inherit those dependencies via retrofit (they are not direct dependencies), so we rely on their dependency versioning. It looks like they recently put out a release after four years without one, so we need to see if it's feasible to update.