Security findings

[snskr]

Hi Team, how are you doing? Need help with some of the security findings for the latest scdf 2.10.0/2. Do you have any patches planned for the below packages for Amy security vulnerabilities

1. Go package coming as part of docker image.
2. Open ssl related package
3. Common text Jat
4. O auth2 related spring upgrades Kindly let us know if you have any planned activities or features for these. Thanks in advance.

Regards, Snskr.

[markpollack]

We need more details to understand what security vulnerabilities you are talking about. We always update to latest dependency releases when doing our releases and monitor status of security vulnerabilities with our own security scanning. The preferred method to report security related issues is described here - https://spring.io/security/

[snskr]

Thamks for the reply For the scdf docker image. We got findings for the packages 1 go package of 1.19.5

2. Openssl 1.1.1.ubhntu2.1 18.04.21
3. Systemd ubjntu10.57
4. Spring web 5 3.25
5. Spring security oauth2 client 5.7.3
6. Org.codehaus.jettisio _jettison 1.5.1 Some of these are direct pom xml direct or transitive dependencies and few are coming from your base docker image. Do you have any plans to upgrade these dependencies in pkm or base image?

Thanks, Nagasudhakar

[snskr]

Hi Team, can you please check if there.is any plan to update these transitive dependencies S

[onobc]

These have been addressed.