Closed jamesbroadhead closed 3 years ago
I thought about contributing when I see this issue. But after reading the contributing guideline which states "Ping Identity does not accept third-party code submissions, such as pull requests.". But I see pull requests in the repo.
Can I work on this issue and create pull request?
Thanks for your interest in the SCIM2 SDK. As you mentioned Ping does not accept outside pull requests, but we are tracking this issue internally. Ping's security team considers this issue as low priority, since the vulnerability has a very low attack vector, though we hope to find time to address this in the near future.
On top of that, why is testng a compile time dependency for scim2 packages? All usages from testng comes from src/test packages.
Fixes for the problems pointed out by @jamesbroadhead and @everag should be available with the next SCIM 2 SDK release. Barring unforeseen changes, that will be version 2.3.7, and it will be released no later than the end of Q3 2021.
Thank you @braveulysses !
testng 6.4 is vulnerable to MITM while building - see https://app.snyk.io/vuln/SNYK-JAVA-ORGTESTNG-174823 for details
As testng is a dependency of scim, it is causing scim to be flagged in our vulnerability-detection process.
Please upgrade to testng 7.0.0 or above