-
|
Hi, I'm pretty new to Maven so maybe I'm doing this wrong - but when I add dependency to java client 8.5.1 - that entire dependency block gets highlighted with "Provides transitive vulnerable dependency maven:commons-collections:commons-collections:3.2.2 Cx78f40514-81ff 7.5 Uncontrolled recursion vulnerability bending CVSS allocation". Seems like there's an entry in this project pom for commons-validator 1.7 which in turn has a dependency on that old commons-collections (there's a newer one under commons-collections4 that doesn't have vulnerabilities). So... I don't understand why no one else is raising questions about this. Is everyone just suppressing the warning? Or is there something I'm missing? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
hi @serg64, why not to address this question to the developers of |
Beta Was this translation helpful? Give feedback.
-
|
I suppose that's fair - I got thrown off by https://mvnrepository.com/artifact/commons-validator/commons-validator/1.7 reporting that it hasn't been updated since Aug 07, 2020 - so I assumed it was something that no one is developing anymore. But it seems active from their github page. Will give it a try. |
Beta Was this translation helpful? Give feedback.
-
|
Upon further investigation - seems like they're sort of working on it... very slowly: https://issues.apache.org/jira/projects/VALIDATOR/issues/VALIDATOR-390?filter=allopenissues |
Beta Was this translation helpful? Give feedback.
-
|
|
Beta Was this translation helpful? Give feedback.
hi @serg64, why not to address this question to the developers of
commons-validatorlib?