search

simerplaha / SwayDB

Persistent and in-memory key-value storage engine for JVM that scales on a single machine.
https://swaydb.simer.au
Apache License 2.0
293 stars 16 forks source link

CVE-2022-36944 - Scala vulnerability with 9.8 score #363

Open crea1 opened 2 years ago

crea1 commented 2 years ago

Hi 👋

Currently our dependency checks started failing on SwayDB due to the scala libraries related to this CVE https://nvd.nist.gov/vuln/detail/CVE-2022-36944

[ERROR] scala-library-2.13.8.jar: CVE-2022-36944(9.8)
[ERROR] scala-reflect-2.13.0.jar: CVE-2022-36944(9.8)

We are using 

    <dependency>
      <groupId>io.swaydb</groupId>
      <artifactId>java_2.13</artifactId>
      <version>0.16.2</version>
    </dependency>

Seems that these are fixed in scala-library 2.13.9, latest being 2.13.10 as of writing.

Would be super nice to get patch on this.

Thank you for SwayDB ❤️

Kind regards, Marius

simerplaha commented 2 years ago

Hey! Thank you for reporting this. This is something that should definitely be sorted out.

Just FYI, SwayDB's last release was 2 years ago and is over 400 commits behind new updates.

I have not been able to figure out how to continue SwayDB's development. Time being the biggest factor. So I'm not sure when this issue will be resolved.

Thanks heaps for reporting this.

crea1 commented 2 years ago

Thank you for replying! I totally understand your situation. But at least now you are aware should you some day find the extra time.

Cheers!