CVE-2021-43138 and org.clojure/core.async

[fdabrao]

Hello,

I've got this security problem that is pointing out to https://github.com/caolan/async vulnerability. Is that a false positive?

Thank you

[vemv]

Hi, thanks for the report!

What nvd-clojure version are you using?

[fdabrao]

The last one {:mvn/version "RELEASE"}, at this moment -> v2.5.0

[vemv]

Thanks!

Indeed it's a false positive. Thanks for reporting it in https://github.com/jeremylong/DependencyCheck/issues/4384.

In the meantime you can add it to your suppressions .xml file, there's doc/examples that can be found in the readme.

Cheers - V