stefanseifert
commented
1 month ago following the links in the CVE report and the posting here: https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw only certain jackrabbit artifacts are affected ((jackrabbit-webapp, jackrabbit-standalone, jackrabbit-standalone-components).
none of these artifacts are included in aem-mock and it's dependencies:
$ mvn dependency:tree | grep jackrabbit
[INFO] +- org.apache.jackrabbit:jackrabbit-jcr-commons:jar:2.20.9:compile
[INFO] | +- org.apache.jackrabbit:oak-jackrabbit-api:jar:1.22.15:compile
[INFO] | +- org.apache.jackrabbit:oak-jcr:jar:1.22.15:compile
[INFO] | | +- org.apache.jackrabbit:oak-api:jar:1.22.15:compile
[INFO] | | +- org.apache.jackrabbit:oak-core-spi:jar:1.22.15:compile
[INFO] | | +- org.apache.jackrabbit:oak-store-spi:jar:1.22.15:compile
[INFO] | | +- org.apache.jackrabbit:oak-query-spi:jar:1.22.15:compile
[INFO] | | +- org.apache.jackrabbit:oak-security-spi:jar:1.22.15:compile
[INFO] | | +- org.apache.jackrabbit:oak-core:jar:1.22.15:compile
[INFO] | | | \- org.apache.jackrabbit:oak-blob-plugins:jar:1.22.15:compile
[INFO] | | | +- org.apache.jackrabbit:jackrabbit-data:jar:2.20.9:compile
[INFO] | | | +- org.apache.jackrabbit:oak-blob:jar:1.22.15:compile
[INFO] | | \- org.apache.jackrabbit:oak-commons:jar:1.22.15:compile
[INFO] +- org.apache.jackrabbit.vault:org.apache.jackrabbit.vault:jar:3.2.8:compileso this looks like a false positive to me?
we try to keep the versions of the dependencies in sync with certain older AEM releases to ensure compatibility for a broader range still in use out there.
We're using io.wcm.testing.aem-mock.junit5:5.5.2 in our project and it has a high severity Security Risk CVE-2023-37895 in the Blackduck code scan report as shown below.
According to CVE-2023-37895:
Please help to upgrade the Jackrabbit dependency version in the next release.