Snyk: snowflake-ingest-java org.bouncycastle:bcprov-jdk18on 1.78 | Snyk ID - SNYK-JAVA-ORGBOUNCYCASTLE-6277381

[github-actions[bot]]

Title: Snyk: snowflake-ingest-java org.bouncycastle:bcprov-jdk18on 1.78 Additional information on Snyk can be found here: https://snyk.io/org/snowflakedb-sca-scanning-public-repo/project/decdb8fe-6a6d-465d-9e89-84aa34efb781 Repo: snowflake-ingest-java CVE: Package Type: java Package Name: org.bouncycastle:bcprov-jdk18on Package Version: 1.78 Snyk ID: SNYK-JAVA-ORGBOUNCYCASTLE-6277381 Vulnerability URL: http://security.snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-6277381 Severity: medium Introduced Date: 2024-03-04 Projects with Vulnerability: snowflakedb/snowflake-ingest-java:pom.xml Target File: pom.xml JIRA Ticket: https://snowflakecomputing.atlassian.net/browse/SNOW-1334457

[sfc-gh-xhuang]

We already upgraded to 1.7.8, but the CVE is not updated to indicate that is the fixed version: https://github.com/bcgit/bc-java/issues/1528

[sfc-gh-azagrebin]

This problem has no released version that solves it, including the latest 1.78 that solved some other issues.

[dghgit]

The problem is fixed in 1.78 and 1.78.1. It is going to be a while before any CVEs are updated, Mitre is currently having internal issues, apparently due to a data breach, our last request for a CVE-ID for the 1.78 release is still pending, that's over 3 weeks now.

CVE-2024-30171 will be updated to show 1.78 as the fix release.

[sfc-gh-lsembera]

Fixed in https://github.com/snowflakedb/snowflake-ingest-java/pull/752