Check if we can get rid of some components with vulnerabilitiesΒ #92
Description
When releasing to maven central a security report is created. I will post a report link here, but I do not know how long it will remain available.
Here are the top two candidates, both transitive (probably Xtext):
pkg:maven/log4j/log4j@1.2.17
- [CVE-2019-17571] CWE-502: Deserialization of Untrusted Data
- [CVE-2022-23305] CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- [CVE-2022-23302] CWE-502: Deserialization of Untrusted Data
- [CVE-2022-23307] CWE-502: Deserialization of Untrusted Data
- [CVE-2021-4104] CWE-502: Deserialization of Untrusted Data
- [CVE-2023-26464] CWE-502: Deserialization of Untrusted Data
pkg:maven/com.google.guava/guava@31.0.1-jre
- [CVE-2023-2976] CWE-552: Files or Directories Accessible to External Parties
- [CVE-2020-8908] CWE-379: Creation of Temporary File in Directory with Incorrect Permissions