Insecure dependencies? - Githubissues

nextflow-io / nextflow

A DSL for data-driven computational pipelines

http://nextflow.io

Apache License 2.0

2.77k stars 629 forks source link

Insecure dependencies? #2537

Closed kpalin closed 2 years ago

kpalin commented 2 years ago

Bug report

While scanning for log4j vulnerabilities I got warnings of CRITICAL issues with nextflow dependency pf4j-3.4.1.jar CVE-2019-7238 There is also an other, HIGH severity vulnerability CVE-2020-10199

Expected behavior and actual behavior

Vulnerability scanners, like dependency-check, should not report vulnerabilities with nextflow. If possible, please update pf4j

pditommaso commented 2 years ago

Not sure the CVE you are reporting are related to pf4j-3.4.1.jar

Nextflow dependencies are checked via Sonatype Lift, last build it's reporting 1 low severity threat for the Guava library. No other problem is highlighted.

https://sbom.lift.sonatype.com/report/T1-0ff0976f7f21c391f20f-4f35bee476b1b-1640160070-9d407d7620cb4b6ab3fa0a1785af498b

kpalin commented 2 years ago

Ah.. This is embarrassing. Apparently I failed to correctly read dependency-check-report.zip Clearly the alert was false positive from dependency-check. Sorry.