You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now the logback-classic version is at 1.2.8 and netty is at 4.1.76. Against both CVE's with a moderate score exists, which lets secrutiy scanner like trivy or blackduck to complain about them.
Would be nice if both dependency could be updated to the latest version and a hotfix release could be made.
The text was updated successfully, but these errors were encountered:
it looks like Application Insights isn't affected by the netty CVE since that only affects Java 6 and older (assuming we're looking at the same one): Azure/azure-sdk-for-java#29295
we are getting netty as a transitive dependency from Azure SDK, so we'll probably plan on waiting until they update that dependency
thanks for looking into and yes I know both CVEs have a moderate score are not that easily useable, but some companies have a strict policy about it and always writing exception files is not fun either.
it looks like Azure SDKs updated it a few days ago Azure/azure-sdk-for-java#29638, we'll pull in the latest Azure SDK dependencies as soon as it is released
Right now the logback-classic version is at 1.2.8 and netty is at 4.1.76. Against both CVE's with a moderate score exists, which lets secrutiy scanner like trivy or blackduck to complain about them.
Would be nice if both dependency could be updated to the latest version and a hotfix release could be made.
The text was updated successfully, but these errors were encountered: