jFrog Xray detects high violation for JNA

[StephenWikeTBCT]

Which version and edition of Flyway are you using?

flyway/flyway:7.8.2-alpine

If this is not the latest version, can you reproduce the issue with the latest one as well? (Many bugs are fixed in newer releases and upgrading will often resolve the issue)

Using the latest docker tag

Which client are you using? (Command-line, Java API, Maven plugin, Gradle plugin)

command-line

Which database are you using? (Type & version)

PostgreSQL using docker image postgres:10.16-alpine

Which operating system are you using?

Inside the docker container: alpine linux Externally:

• Windows 10
• Github Actions, runs-on: ubuntu-latest
• Ubuntu linux

What did you do? (Please include the content causing the issue, any relevant configuration settings, the SQL statement(s) that failed (if any), and the command you ran)

Using JFrog Xray to scan the docker image for violations finds a violation.

Details

• Summary: Java native access (jna) advapi32util.registrygetvalues() method reg_sz, reg_multi_sz / reg_expand_sz data type handling dos

• Description: Java native access (jna) contains a flaw in the advapi32util.registrygetvalues() method that is triggered when handling a string with the reg_sz, reg_multi_sz or reg_expand_sz data types that is stored without properly null terminating characters. this may allow an attacker to crash the program.

• Infected Component: Net.java.dev.jna:jna

• Severity: High

• Fix Version: 5.0.0

• References: https://github.com/java-native-access/jna/commit/12493ba771a50fae7d6303e8b58b31eacf903327 https://github.com/java-native-access/jna/issues/340 https://github.com/java-native-access/jna/blob/master/CHANGES.md

What did you expect to see?

Expected to so zero violations.

What did you see instead?

A violation was found.

Steps to reproduce.

scan image using jFrog Xray or similar tool.

[DoodleBobBuffPants]

Closing as this may no longer be relevant

We use Snyk internally which hasn't flagged this as an issue