You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/06/01 18:24:00 UTC

[jira] [Comment Edited] (NIFI-10078) Update Several Vulnerable Dependencies

    [ https://issues.apache.org/jira/browse/NIFI-10078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17545083#comment-17545083 ] 

David Handermann edited comment on NIFI-10078 at 6/1/22 6:23 PM:
-----------------------------------------------------------------

There are a large number of dependencies that are marked as vulnerable using tools such as the OWASP dependency check plugin. Some of the results are false positives, or relate to the server component as opposed to the client library.

Please open specific Jira issues for individual dependencies after performing an initial evaluation of where the dependency is referenced.


was (Author: exceptionfactory):
There are a large number of dependencies that are marked as vulnerable using tools such as the OWASP dependency check plugin. Some of the results are false positives, or relate to the server component as opposed to the client library.

Please open specific Jira issues for individual after performing an initial evaluation of where the dependency is referenced.

> Update Several Vulnerable Dependencies
> --------------------------------------
>
>                 Key: NIFI-10078
>                 URL: https://issues.apache.org/jira/browse/NIFI-10078
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 1.16.1
>            Reporter: Mike R
>            Priority: Major
>
> Sorry if this is a duplicate, but I found a few components that came through a vulnerability scan to see if NiFi can work to get these fixed.
> |Package|Location|Where To Download Fix|
> |HTTP Components|commons-httpclient-3.1.jar|[Apache HttpComponents – HttpComponents Downloads|https://hc.apache.org/downloads.cgi]|
> |esapi|esapi-2.2.0.0.jar|[Maven Central Repository Search|https://search.maven.org/search?q=g:org.owasp.esapi]|
> |esapi|esapi-2.2.0.0.jar|[Maven Central Repository Search|https://search.maven.org/search?q=g:org.owasp.esapi]|
> |Guava|guava-28.0-jre.jar|[Releases · google/guava (github.com)|https://github.com/google/guava/releases]|
> |XML Sec|xmlsec-1.5.8.jar|[Apache Santuario -- download|https://santuario.apache.org/download.html]|
> |ZooKeeper|zookeeper-3.5.9.jar|[Apache Downloads|https://www.apache.org/dyn/closer.lua/zookeeper/zookeeper-3.8.0/apache-zookeeper-3.8.0-bin.tar.gz]|
> |ZooKeeper-Jute|zookeeper-jute-3.5.9.jar|[Apache Downloads|https://www.apache.org/dyn/closer.lua/zookeeper/zookeeper-3.8.0/apache-zookeeper-3.8.0-bin.tar.gz]|



--
This message was sent by Atlassian Jira
(v8.20.7#820007)