[Vulnerable dependencies] We found a potential issue in your GitHub project
SABETTA, Antonino
Dear GitHub user,
I am contacting you to inform you that, as a result of a study that SAP Security Research
conducted on the top 100 most popular Java projects in GitHub, my colleagues and I found that
the latest release of one of your projects includes at least one dependency affected by a known vulnerability (CVE).
I warmly invite you to reply to this email to get the details about our findings (identical copies
of this message are being sent to all the owners/main contributors of the affected projects,
so we cannot include more details here). We would be happy to provide all the information at our disposal
as well as hear your opinion on how the general problem of vulnerable dependencies could be addressed
by the open-source community, by commercial vendors, and by the research community.
Our findings are described at an aggregated level in a paper that we submitted for publications in the
proceedings of a scientific conference; I am attaching the abstract of our paper.
While we do not list the projects that we analyzed, it would be possible for anyone to reproduce
our search on GitHub and guess the list of projects we studied.
Technically, what we found is already visible to anybody who cares to do what we did, that is to
construct the full dependency tree for your project and check one by one your dependencies against the NVD.
Would you please note that, while we cannot say for sure if your project is actually exploitable
because of its vulnerable dependency(-es), we strongly advice that you look into the issue and
check if an upgrade to a more recent, non-vulnerable version is feasible.
I look forward to hearing from you,
Antonino Sabetta, Ph.D.
Senior Researcher
SAP Security Research
SAP Labs France
805, av. Maurice Donat
06254 Mougins CEDEX - FRANCE
|
|
|