State of CVE in current swagger-core v1.6.4 #4111
Comments
|
Addressed in #4114 |
|
@jehaineoracle can you clarify which vulnerability is not addressed? |
|
@frantuma I believe the apache commons cve is addressed. But for the Guava CVE (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908) there was a vulnerable api that has since been deprecated. For that vulnerability to clear do we have to wait for the deprecated api to be removed in a later version? |
|
@jehaineoracle as the vulnerable API is not used throughout the project I'd say that we are not affected by it. Are you getting possibly a vulnerability report related to CVE-2020-8908 by some automated tool? |
|
@frantuma yes in 2.4.x of swagger-codegen https://github.com/swagger-api/swagger-codegen/tree/v2.4.25 |
|
@jehaineoracle swagger-codegen is a different project, we are addressing vulnerabilities of that project outside the scope of this ticket/repo. |
|
Sorry I misspoke. swagger-core is a dependency for swagger-codegen. Our scan of swagger-codegen found swagger-core to have CVE's against it https://mvnrepository.com/artifact/io.swagger/swagger-core/1.6.4 |
|
@jehaineoracle right, as mentioned above we are addressing vulnerabilities of swagger codegen within that project, this will also mean updating swagger-core to |
|
@frantuma right. I'm just going to the root project flagged with the issue. Thanks.. I still see Guava as a dependency that hasn't eliminated its CVE, only deprecated the api with issue |
|
As mentioned above guava CVE is not affecting swagger-core, as the vulnerable API is not used. We are closing this issue, if vulnerability alerts come up for 1.6.5 feel free to open a new one |
Anyone working on a patch for the CVE issues in swagger-core v1.6.4 ?
https://mvnrepository.com/artifact/io.swagger/swagger-core/1.6.4
The text was updated successfully, but these errors were encountered: