You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Christopher L. Shannon (JIRA)" <ji...@apache.org> on 2018/11/15 19:28:00 UTC

[jira] [Commented] (AMQ-7103) Dependency updates flagged by OWASP Dependency Check

    [ https://issues.apache.org/jira/browse/AMQ-7103?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16688544#comment-16688544 ] 

Christopher L. Shannon commented on AMQ-7103:
---------------------------------------------

[~ABakerIII] - I re-created the issue after I deleted it as I didn't think this was supposed to be posted in a public forum (as we had discussed previously).  However, I talked to security about it and got guidance that this is actually ok to post in Jira. The response was that since these are known issues in public dependencies then they can go into a public bug tracker as they are not new or non-public so this is fine.  So I apologize for deleting your original issue (I should have checked with security first)

We can target dependency updates for 5.15.9 where possible.

Also, you are already aware of this but the other guidance I got form security was as follows:

"A vulnerability in a dependency does not automatically mean there is a
vulnerability in the project using that dependency.

If you have a PoC that demonstrates a project vulnerability because of
this dependency, please provide the details privately to
[security@foo.apache.org|mailto:security@foo.apache.org] as per [http://www.apache.org/security/] "

 

> Dependency updates flagged by OWASP Dependency Check
> ----------------------------------------------------
>
>                 Key: AMQ-7103
>                 URL: https://issues.apache.org/jira/browse/AMQ-7103
>             Project: ActiveMQ
>          Issue Type: Improvement
>    Affects Versions: 5.15.7
>            Reporter: Christopher L. Shannon
>            Priority: Major
>             Fix For: 5.15.9
>
>
> Original text from Jira issue from [~ABakerIII] - 
>  
> Please determine if
>  # The 458 vulnerabilities are true vulnerabilities or false positives
>  # Are there newer versions of the vulnerable libraries available
>  # Will updating the pom to use the new libraries break the build/test or not
>  # If updates some do break the build/test, please update the code to work.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)