Security Vulnerability: Latest 1.0.39 release depends on version of Scala with known vulernability

mbknor / mbknor-jackson-jsonSchema

Generate JSON Schema with Polymorphism using Jackson annotations

MIT License

234 stars 79 forks source link

Security Vulnerability: Latest 1.0.39 release depends on version of Scala with known vulernability #174

Open big-andy-coates opened 1 year ago

big-andy-coates commented 1 year ago

v1.0.39 of this library depends on org.scala-lang:scala-library:2.13.1, which has a known security vulnerability

Updating to the latest 2.13.10 release will fix this issue.

big-andy-coates commented 1 year ago

Workaround is to force the use of a version of scala-library above 2.13.8. e.g. for Gradle users:

    configurations.all {
        resolutionStrategy.eachDependency {
            // Can be removed once https://github.com/mbknor/mbknor-jackson-jsonSchema/issues/174 resolved:
            if (requested.group == "org.scala-lang" && requested.name == "scala-library") {
                useVersion("2.13.10")
                because("security vulnerabilities found < 2.13.9: " +
                        "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36944")
            }
        }
    }