Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-15904

Move test dep to json-smart 2.4.5 or later by moving test dep nimbus-jose-jwt to 8.23

    XMLWordPrintable

Details

    Description

      The json-smart lib is a transitive dep of a test dep, nimbus-jose-jwt. The transitive dep version has a CVE filed against it – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31684. That's being flagged up by security scanners of the WF code.

      Either:

      1) Move nimbus-jose-jwt to a later version whose transitive dep is on a fixed version of json-smart
      2) Exclude the transitive dep if we don't need it
      3) Control the transitive dep version in dependency management and upgrade it.

      Attachments

        Activity

          People

            bstansbe@redhat.com Brian Stansberry
            bstansbe@redhat.com Brian Stansberry
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: