Open fjakop opened 3 weeks ago
I would be interested in you providing a description about how a user of poi-shared-strings or excel-streaming-reader can exploit that CVE. The only classes used here are the MVStore classes.
I understand that h2 can be made optional but scaremongering about CVEs that don't affect this use case is not the way to go about it.
excel-streaming-reader is probably where I would start if I was to start making the dependencies optional. Its dependency on poi-shared-strings can be made optional. That would have to happen in a major release for semver reasons.
but scaremongering about CVEs that don't affect this use case is not the way to go about it.
I totally agree with you on this point, but in a company with a strict governance process on dependencies and possible vulnerabilities the waiving process is a pita, so when there's nothing to waive is much better than to explain why the software is not affected..
We're looking forward to the next major release. Thanks.
We're using "com.github.pjfanning:excel-streaming-reader:4.3.1" in our application and since there's a compile dependency to h2 so we have to exclude it explicitly.
We would suggest h2 to be an optional dependency because the use in production is a very rare case in our opinion.
Btw, the version 2.2.224 comes with a vulnerability CVE-2018-14335 / sonatype-2018-0863.