Regarding ehcache vulnerability from rest-management classpath

[Ashish Joshi]

Hi There, 

We are currently using  ehcache-2.10.9.2.jar  in my project. We are getting security vulnerability issue from rest api not from core classpath. Its with jetty-server:9.4.39.v20210325(CVE-2021-34428) and jersey-common:2.311 (CVE-2021-28168)

If we use org.ehcache(3.x), it doesn't seem compatible with existing version. Any direction for resolution  will be appreciated. Not sure how we can suppress this security vulnerability or any possible next release can we expect?  Kindly advise. Will appreciate any help on this.

Thanks 

Ashish Joshi 

[Hans Aikema]

Ashish,

see https://jeremylong.github.io/DependencyCheck/general/suppression.html

for information on the suppression of vulnerabilities.

If you load the HTML report in a webbrowser there are buttons rendered next to a vulnerability that give the suppression snippet for a false-positive (or a vulnerability mitigated by compensating controls) on a properly matched product and another suppress button next to a cpe to suppress a false-postive scenario because a library was linked to the wrong software product.

When you want to suppress temporarily because you cannot upgrade now, and accept the risk associated with the vulnerability I would advice to use the "until" attribute on the suppression to make it expire for re-evaluation at some point in the future (example shown at the bottom of the documentation page).

kind regards,

Hans

On 3 Mar 2022, at 15:08, Ashish Joshi <ashi...@gmail.com> wrote:



--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dependency-check/CAOCP5cKvx9qoqwfM4fPGWQcy0Rgt95rmrZZ3WJtxDEkN3M_a6A%40mail.gmail.com.