Closed
Description
The dependency check is now failing with the following CVE on a json-patch dependency from swagger-parser.
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0':
[ERROR]
[ERROR] json-patch-1.13.jar: CVE-2021-4279(9.8)
The dependency tree looks like this:
+- io.swagger.parser.v3:swagger-parser:jar:2.1.7:compile
| +- io.swagger.parser.v3:swagger-parser-v2-converter:jar:2.1.7:compile
| | +- io.swagger:swagger-core:jar:1.6.8:compile
| | | +- io.swagger:swagger-models:jar:1.6.8:compile
| | | | \- io.swagger:swagger-annotations:jar:1.6.8:compile
| | | \- javax.validation:validation-api:jar:2.0.1.Final:compile
| | +- io.swagger:swagger-parser:jar:1.0.63:compile
| | +- io.swagger:swagger-compat-spec-parser:jar:1.0.63:compile
| | | +- com.github.java-json-tools:json-schema-validator:jar:2.2.14:compile
| | | | +- com.github.java-json-tools:jackson-coreutils-equivalence:jar:1.0:compile
| | | | +- com.github.java-json-tools:json-schema-core:jar:1.2.14:compile
| | | | | +- com.github.java-json-tools:uri-template:jar:0.10:compile
| | | | | \- org.mozilla:rhino:jar:1.7.7.2:compile
| | | | +- com.sun.mail:mailapi:jar:1.6.2:compile
| | | | \- com.googlecode.libphonenumber:libphonenumber:jar:8.11.1:compile
| | | \- com.github.java-json-tools:json-patch:jar:1.13:compile
| | | +- com.github.java-json-tools:msg-simple:jar:1.2:compile
| | | | \- com.github.java-json-tools:btf:jar:1.3:compile
| | | \- com.github.java-json-tools:jackson-coreutils:jar:2.0:compile
I know this is not the swagger-parser itself, but probably we have to update it to the newer json-patch version.
This version of json-patch is pretty old (27.May.2020), and no newer versions are available :(
So probably swagger-parser should be switched to another, more up-to-date library — see java-json-tools/json-patch#86.
Metadata
Metadata
Assignees
Labels
No labels