I use Sonartype OSS index to scan my code using ZK 9.0.0 has 2 vulnerability

asked 2020-04-27 10:42:44 +0800

sesong11 gravatar image sesong11
17 3
[ERROR] Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.1.0:audit-aggregate (default-cli) on project nexus-proxy: Detected 2 vulnerable components:

[ERROR]   com.google.protobuf:protobuf-java:jar:3.0.2:compile; https://ossindex.sonatype.org/component/pkg:maven/com.google.protobuf/[email protected]

[ERROR]     * [CVE-2015-5237]  Improper Restriction of Operations within the Bounds of a Memory Buffer (8.8); https://ossindex.sonatype.org/vuln/d47d20ab-eb2a-4cfd-8064-bbf6283649cb

[ERROR]   com.google.guava:guava:jar:20.0:compile; https://ossindex.sonatype.org/component/pkg:maven/com.google.guava/[email protected]

[ERROR]     * [CVE-2018-10237]  Deserialization of Untrusted Data (5.9); https://ossindex.sonatype.org/vuln/24585a7f-eb6b-4d8d-a2a9-a6f16cc7c1d0
delete flag offensive retag edit

1 Answer

Sort by ยป oldest newest most voted

answered 2020-04-27 12:49:28 +0800

cor3000 gravatar image cor3000
6032 2 7
ZK Team

updated 2020-05-25 12:45:52 +0800

thanks for the information. It is possible to exclude these optional dependencies ZK will continue to function without them (during development it won't be able to generate source maps, which is what the google closure compiler is used for)

I posted the issue: ZK-4561 (it also mentions which dependency has to be excluded to avoid these alerts)

UPDATE (2020-05-25)

  • ZK-4561 makes the dependency optional
  • ZK-4562 (integrates a dependency check )

testable in the latest FL version for 9.1.0

e.g. 9.1.0.FL.20200522-Eval - pom : google closure compiler was updated and made optional so it doesn't appear in your transitive dependencies by default

link publish delete flag offensive edit


thanks, To avoid future problems I added latest version of both dependencies to my project to override them.

sesong11 ( 2020-04-27 17:24:18 +0800 )edit

yes that's the other option... keep in mind that, this won't prevent future problems e.g. if new vulnerabilities are found you have to update again... if you exclude the dependencies you they can't have future problems ;) that's why I suggested excluding them. anyways maven supports both ways.

cor3000 ( 2020-04-27 18:11:53 +0800 )edit

I worry it going to disable some ZK features or make runtime exception. I will try

sesong11 ( 2020-04-28 09:21:54 +0800 )edit

don't worry, if it breaks it's a bug (please let us know if that's the case) see new features doc

cor3000 ( 2020-04-28 12:21:26 +0800 )edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

1 follower



Asked: 2020-04-27 10:42:44 +0800

Seen: 9 times

Last updated: May 25 '20

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More