Closed eduardszoecs closed 1 month ago
commons-compress is a transitive dependency, required by Apache POI. We will upgrade when POI does, as we do not wish to take on the duplicate work of maintaining the versions of these transitive dependencies.
https://poi.apache.org/changes.html indicates that the next POI release will be rolled out in September.
With the release of POI 5.3.0, commons-compress has been updated to 1.26.2. This is included in XLConnect 1.1.0 which is being released on CRAN.
sessionInfo() output
R version 4.3.3 (2024-02-29) Platform: x86_64-pc-linux-gnu (64-bit) Running under: Ubuntu 20.04.6 LTS
Matrix products: default BLAS: /usr/lib/x86_64-linux-gnu/openblas-pthread/libblas.so.3 LAPACK: /usr/lib/x86_64-linux-gnu/openblas-pthread/liblapack.so.3; LAPACK version 3.9.0
locale: [1] LC_CTYPE=en_US.UTF-8 LC_NUMERIC=C
[3] LC_TIME=en_US.UTF-8 LC_COLLATE=en_US.UTF-8
[5] LC_MONETARY=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8
[7] LC_PAPER=en_US.UTF-8 LC_NAME=en_US.UTF-8
[9] LC_ADDRESS=en_US.UTF-8 LC_TELEPHONE=en_US.UTF-8
[11] LC_MEASUREMENT=en_US.UTF-8 LC_IDENTIFICATION=en_US.UTF-8
time zone: UTC tzcode source: system (glibc)
attached base packages: [1] stats graphics grDevices utils datasets methods base
other attached packages: [1] XLConnect_1.0.8
loaded via a namespace (and not attached): [1] compiler_4.3.3 rJava_1.0-11
Additional environment information
Running in a docker container.
Description
Our vulnerabilty scanner (trivy) picks up the following:
Which originates from xlconnect ("usr/lib/R/site-library/XLConnect/java/commons-compress.jar")
Expected behavior
No vulnerabilties are shipped by xlConnect. Solution is to update the commons-compress.jar
How to Reproduce