Version of freetype.dll ???
16 views
Skip to first unread message
Sherrill Neese
Aug 21, 2015, 9:38:44 AM8/21/15
to Dependency Check
Hello,
I am working on a project and we are using Dependency Check.
I ran a scan against our application and it listed freetype.dll as an issue with numerous vulnerabilities. As with other dependency vulnerabilities, these vulnerabilities are listed by version number. However, Dependency Check did not list the version number for the freetype.dll file in our application. How do I determine what version of freetype.dll I have?
The file is included with OpenJDK 1.7.0u80 and located in the <install>/jre/bin directory.
If this cannot be done with Dependency Check, is there someplace that lists which version of freetype.dll is included with which version of OpenJDK?
Thanks!
Jeremy Long
Aug 22, 2015, 5:41:49 AM8/22/15
to Dependency Check
First, I would not recommend scanning the JRE/JDK directory. Instead, just keep up with the current patching for the JVM; in my experience (depending on organization size) patching items like the Java and application containers (Tomcat, WebSphere, etc.) are handled by a middleware team. Dependency-check is not really designed to scan entire systems or middleware components. Rather, this is a build tool used to scan the libraries that an application depends on.
As to your specific question about freetype.dll - I have no idea. If you expand the "evidence" section of the report and no version number is specified then I would have no idea. Additionally, just because the DLL/JAR/etc. is present when scanning a directory like the JRE doesn't mean that anything is actually exploitable; there is a huge difference between vulnerable and exploitable.
--Jeremy
As to your specific question about freetype.dll - I have no idea. If you expand the "evidence" section of the report and no version number is specified then I would have no idea. Additionally, just because the DLL/JAR/etc. is present when scanning a directory like the JRE doesn't mean that anything is actually exploitable; there is a huge difference between vulnerable and exploitable.
--Jeremy
Sherrill Neese
Aug 24, 2015, 10:37:50 AM8/24/15
to Jeremy Long, Dependency Check
Thanks for the information and the recommendation. This makes sense.
Thanks again.
Sherrill
--
You received this message because you are subscribed to a topic in the Google Groups "Dependency Check" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dependency-check/9fPJY5TGByY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages