agatarychter
commented
2 years ago I am using Quarkus version 2.7.0.Final (I've checked also for 2.5.4.Final and 2.5.0.Final) and quarkiverse/quarkus-logging-json version 1.1.1.
Closed agatarychter closed 2 years ago
agatarychter
commented
2 years ago I am using Quarkus version 2.7.0.Final (I've checked also for 2.5.4.Final and 2.5.0.Final) and quarkiverse/quarkus-logging-json version 1.1.1.
SlyngDK
commented
2 years ago Which issues for dependencies used in this project, default is quarkus bom will override these.
gsmet
commented
2 years ago The report has nothing to do with the Logging JSON Quarkiverse extension.
The report is about Quarkus 1.1.1.Final itself AFAICS. A good indicator something is wrong with your report is that it references quarkus/quarkus/1.1.1 and that it complains about the PostgreSQL JDBC driver, which this extension does not use.
I would advise you to check the reports more carefully and also to check what's wrong with your reporting because, given the other issue you created in the Quarkus project, your reporting is incorrect.
Hello Quarkiverse Team, I am currently developing a project that uses the quarkus-logging-json dependency. We have added a new plugin to our pom.xml lately (org.owasp dependency-check-maven plugin) which looks for vulnerabilities in the dependencies we use. It turned out, there are some CRITICAL and HIGH vulnerabilities reported for quarkiverse/quarkus-logging-json. Here is the link: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aquarkus&cpe_product=cpe%3A%2F%3Aquarkus%3Aquarkus&cpe_version=cpe%3A%2F%3Aquarkus%3Aquarkus%3A1.1.1
I would like to ask if you have any propositions about how to proceed with the vulnerabilities ? They are reported in our Sonarqube as well.
Are you going to provide some fix versions? Or maybe there is a way to make a fix ourselves? I would be grateful for your answer.
Best regards, Agata Rychter