Vulnerability reports on maven central
30 views
Skip to first unread message
Michael Musgrove
Jul 20, 2022, 7:29:26 AM7/20/22
to JaCoCo and EclEmma Users
Hi, please could you advise on the vulnerability report by maven central for the dependency `org.jacoco:org.jacoco.ant:0.8.8` and whether or not the jar is safe to use?
I did try searching the forum, FAQ's etc for an answer. These CVE's have been present in all releases so I guess the team have evaluated them and concluded that they don't actually affect the usage of the dependency?
Evgeny Mandrikov
Jul 20, 2022, 10:03:25 AM7/20/22
to JaCoCo and EclEmma Users
On Wednesday, July 20, 2022 at 1:29:26 PM UTC+2 michael....@gmail.com wrote:
Hi, please could you advise on the vulnerability report by maven central for the dependency `org.jacoco:org.jacoco.ant:0.8.8` and whether or not the jar is safe to use?
Hi,
It is not clear to which report you're referring - for example page
So could you please give us exact link to this report?
It is not clear to which report you're referring - for example page
states that
This version of org.jacoco.ant has no known vulnerabilities! 🎉
So could you please give us exact link to this report?
Giacomo Boccardo
Jul 20, 2022, 10:08:22 AM7/20/22
to jac...@googlegroups.com
Hi,
he's referring to https://mvnrepository.com/artifact/org.jacoco/org.jacoco.ant/0.8.8.
--
You received this message because you are subscribed to the Google Groups "JaCoCo and EclEmma Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jacoco+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jacoco/6c7e1601-6081-4c2d-a2df-63bba787d43en%40googlegroups.com.
Evgeny Mandrikov
Jul 20, 2022, 10:53:24 AM7/20/22
to JaCoCo and EclEmma Users
On Wednesday, July 20, 2022 at 4:08:22 PM UTC+2 gboc...@gmail.com wrote:
Hi,he's referring to https://mvnrepository.com/artifact/org.jacoco/org.jacoco.ant/0.8.8.
In this case please carefully study this report and CVEs mentioned in it - these vulnerabilities are not in JaCoCo, but in Ant
and
state
Apache Ant prior to 1.9.16 and 1.10.11 were affected.
states
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files
org.jacoco.ant has a dependency on Ant with scope "provided" because org.jacoco.ant is to be used from/with Ant,
and org.jacoco.ant is compatible with different Ant versions, including vulnerable Ant versions.
In other words you can be affected by these vulnerabilities only if you use vulnerable Ant versions, i.e. prior to 1.10.11
and can not be affected if you use Ant versions that have fixes for them - e.g. latest as of today Ant 1.10.12
Michael Musgrove
Jul 29, 2022, 5:15:46 AM7/29/22
to JaCoCo and EclEmma Users
Ah right, I missed that, thanks very much for your in-depth analysis.
Reply all
Reply to author
Forward
0 new messages