OWASP Dependency Check flags vulnerabilities in projects using the wsdl2java Gradle plugin
volkert-fastned opened this issue · comments
Hi,
I have both your wsdl2java plugin (great piece of software, by the way!) and the OWASP Dependency plugin installed in a Gradle project.
This results in the following flagged vulnerabilities:
cxf-xjc-ts-3.3.1.jar (pkg:maven/org.apache.cxf.xjcplugins/cxf-xjc-ts@3.3.1, cpe:2.3:a:apache:cxf:3.3.1:*:*:*:*:*:*:*) : CVE-2019-12406, CVE-2019-12419, CVE-2019-12423, CVE-2019-17573
cxf-xjc-boolean-3.3.1.jar (pkg:maven/org.apache.cxf.xjcplugins/cxf-xjc-boolean@3.3.1, cpe:2.3:a:apache:cxf:3.3.1:*:*:*:*:*:*:*) : CVE-2019-12406, CVE-2019-12419, CVE-2019-12423, CVE-2019-17573
These are apparently dependencies of the wsdl2java plugin, since the project in which I encountered this issue does not have these as dependencies, transitive or otherwise.
Perhaps it's time to upgrade these dependencies in the wsdl2java plugin? Or are these false positives that we should report at https://github.com/jeremylong/dependency-check-gradle ?
Thanks.
Thanks for the report! If you want it to be fixed quickly, you can send a PR as well :)
@volkert-fastned Unfortunately, I don't think there's much that can be done about that right now. 3.3.1
is the latest release of those plugins:
https://search.maven.org/artifact/org.apache.cxf.xjcplugins/cxf-xjc-boolean
https://search.maven.org/artifact/org.apache.cxf.xjcplugins/cxf-xjc-ts
Once version 0.13
of this plugin is published, you'll be able to specify different versions for cxf (e.g. 3.3.5) and those plugins (e.g. 3.3.1
). Also, it should only pull in those dependencies if you actually use the related flags, which may also solve your issue.