neuland / pug4j

a pug implementation written in Java (formerly known as jade)
MIT License
61 stars 12 forks source link

[vuln] Bump graalvm dependency to fix last HIGH vulnerability left in pom.xml #22

Closed dbelyaev closed 10 months ago

dbelyaev commented 1 year ago

In my last issue (https://github.com/neuland/pug4j/issues/20) and fix for it, I missed a detail that remediation for the SNYK-JAVA-ORGGRAALVMSDK-5457933 is to upgrade org.graalvm.sdk:graal-sdk to one of these tree versions: 20.3.10, 21.3.6, 22.3.2 or higher (21.3.2 is not enough).

SEVERITY VULNERABILITY CWE CVE SNYK CVS SCORE INTRODUCED IN FIXED IN
HIGH Information Exposure CWE-924 CVE-2023-21930 SNYK-JAVA-ORGGRAALVMSDK-5457933 CVSS 7.4 org.graalvm.sdk:graal-sdk@21.3.0 org.graalvm.sdk:graal-sdk@20.3.10, @21.3.6, @22.3.2

This issue should be addressed by utilizing a patched version from the same minor tree: 21.3.6.

dbelyaev commented 1 year ago

@chbloemer excuse multiple PRs\issues can you take a look at it?