Security scans findings #1101
Labels
dependencies
Dependency updates
on hold
Currently no progress possible
question
A question about this library or its usage
Blackduck source scans findings
On my company, while scanning our project we found a lot of vulnerabilities coming from this dependency using Blackduck source scan, some dating back to 2005 or older. At first we thought this was probably a false positive from blackduck but contacting them they told us they also see the problems.
The question
Is this correct? We are using the latest version released just a couple of weeks ago, doesn't make sense.
Stacktraces and logs
For instance, one of your direct dependencies is spring-cloud-starter-netflix-eureka-client 4.1.0, which looking at maven central it brings eureka-client 2.0.1 which in turns has commons-configuration
1.10 as a dependency, this one is very old (Oct 24, 2013) and one of its many vulnerabilities is log4shell coming from log4j 1.2.8
The text was updated successfully, but these errors were encountered: