Rest.li is a REST+JSON framework for building robust, scalable service architectures using dynamic discovery and simple asynchronous APIs.
2.51k
stars
546
forks
source link
fix security issues due to transitive dependency icu4j #797
Closed
pedro93 closed 2 years ago
(Copy from https://github.com/linkedin/rest.li/pull/790) These dependencies are brought in when using latest release of rest.li
--- org.antlr:antlr4:4.7.2 +--- org.antlr:antlr4-runtime:4.7.2 +--- org.antlr:antlr-runtime:3.5.2 +--- org.antlr:ST4:4.1 | --- org.antlr:antlr-runtime:3.5.2 +--- org.abego.treelayout:org.abego.treelayout.core:1.0.3 +--- org.glassfish:javax.json:1.0.4 --- com.ibm.icu:icu4j:61.1 OWASP scanner on a sample project shows these vulnerabilities
Upgrading to latest 4.10.1 we get these
--- org.antlr:antlr4:4.10.1 +--- org.antlr:antlr4-runtime:4.10.1 +--- org.antlr:antlr-runtime:3.5.3 +--- org.antlr:ST4:4.3.3 | --- org.antlr:antlr-runtime:3.5.2 -> 3.5.3 +--- org.abego.treelayout:org.abego.treelayout.core:1.0.3 +--- org.glassfish:javax.json:1.0.4 --- com.ibm.icu:icu4j:69.1 After update 0 CVEs
Ref
https://plugins.gradle.org/plugin/org.owasp.dependencycheck https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/index.html