We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hi, @ahitch, I stumbled upon a vulnerability introduced by package groovy-all-2.4.17.jar:
When I build the project, I notice that package groovy-all-2.4.17 with a vulnerability (CVE-2020-17521) will be downloaded in the arctic-sea-master\iceland\statistics\core module. I know that this project downloads and loads groovy-all in EmbeddedElasticsearch.init() by classLoader at run time.
Why is the project referencing this third-party library in a dynamically loaded manner instead of using maven for dependency management?
Is it possible to update groovy-all to remove the vulnerability?
Maybe you can try to upgrade groovy-all to 2.4.21.
Note: _ groovy-all@2.4.21_ has fixed all vulnerabilities. Of course, you are welcome to share other ways to resolve the issue.
Thank you for your attention to this issue and welcome to share other ways to resolve the issue.
Best regards, ^_^
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Hi, @ahitch, I stumbled upon a vulnerability introduced by package groovy-all-2.4.17.jar:
Issue Description
When I build the project, I notice that package groovy-all-2.4.17 with a vulnerability (CVE-2020-17521) will be downloaded in the arctic-sea-master\iceland\statistics\core module. I know that this project downloads and loads groovy-all in EmbeddedElasticsearch.init() by classLoader at run time.
Why is the project referencing this third-party library in a dynamically loaded manner instead of using maven for dependency management?
Is it possible to update groovy-all to remove the vulnerability?
Suggested Solution
Maybe you can try to upgrade groovy-all to 2.4.21.
Note:
_ groovy-all@2.4.21_ has fixed all vulnerabilities.
Of course, you are welcome to share other ways to resolve the issue.
Thank you for your attention to this issue and welcome to share other ways to resolve the issue.
Best regards,
^_^
The text was updated successfully, but these errors were encountered: