Home > Blockchain >  Gradle owasp plugin does not see CVE-2022-42889
Gradle owasp plugin does not see CVE-2022-42889

Time:11-07

I have a build.gradle file with the following plugins and dependencies

plugins {
    ...
    id 'org.owasp.dependencycheck' version '7.3.0',
    ...
}

ext {
    ...
    okHttpVersion = '4.9.3'
    ...
}

repositories {
    mavenCentral()
}

dependencies {
    implementation(
            ...
            //misc
            'org.testcontainers:junit-jupiter:1.16.3',
            'org.everit.json:org.everit.json.schema:1.5.1',
            'com.github.therapi:therapi-runtime-javadoc:0.13.0',
            'org.apache.commons:commons-text:1.9.0',  //this is the vulnerability
            "com.squareup.okhttp3:okhttp:$okHttpVersion",
            "com.squareup.okhttp3:mockwebserver:$okHttpVersion",
            ...
    )
    ...
}

When I run ./gradlew dependencyCheckAnalyze in the report I cannot see the anything about 'org.apache.commons:commons-text:1.9.0'

I have tried to execute ./gradlew dependencyCheckPurge then ./gradlew dependencyCheckUpadte followd by ./gradlew dependencyCheckAnalyze, however the report outputs are same

CodePudding user response:

For some reason the plugin did not recognise MAJOR.MINOR.PATCH pattern, rather MAJOR.MINOR. Therefore 1.9.0 was not visible On top of it in maven repository there are no 1.9.0 anymore

Putting 1.9 fixed the report results

However I reckon it is plugin issue

UPDATED 07.11.2022:

1.9.0 never existed

Page link:https//www.codepudding.com/Blockchain/601292.html

Prev:Dynamically calling collections with different types from a Dictionary
Next:Why doesn't bitwise NOT affect the ZF bit or any other FLAGS?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding