[SONAR-10018] Check vulnerabilities of dependencies - SonarSource

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 6.6
Fix Version/s: 6.7
Component/s: None
Labels:
- Atlas
- Security

Description

We should upgrade jjwt to 0.9.0.

There are multiple vulnerabilities in jjwt dependencies :

CVE-2017-5929 for logback (since we provide a newer version SonarQube should not be affected)
CVE-2016-1000341 for BouncyCastle (https://github.com/jwtk/jjwt/issues/220)
CVE-2017-7525 for Jackson Deserialization (https://bugzilla.redhat.com/show_bug.cgi?id=1473260 , https://github.com/FasterXML/jackson-databind/issues/1599 )

Attachments

Activity

People

Assignee:: Eric Hartmann

Reporter:: Eric Hartmann

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Due:: 30/Oct/17

Created:: 20/Oct/17 6:53 PM

Updated:: 23/Oct/17 6:13 PM

Resolved:: 23/Oct/17 6:12 PM