Dependency 'org.json' has vulnerabilities

[jrpedrianes]

What happened:

Dependency org.json is a transitive dependency from everit-json-schema that has vulnerabilities (CVE Name: Cx78f40514-81ff)

stleary/JSON-java#484

The everit-json-schema maintainer released a new version fixing it: https://github.com/everit-org/json-schema/releases

[tsurdilo]

Thanks for reporting this. Will update and test.

[cb-manick]

I will take a look at this

[jrpedrianes]

Here you have a link where the issue is examined: stleary/JSON-java#484, the first is not correct 🤷‍♂️, I'm going to change it.

Also indicate that commons-validator depends on commons-collections and in version 1.6 has a minor issue, see:

https://issues.apache.org/jira/browse/COLLECTIONS-701
checkmarx-ts/checkmarx-github-action#187

[jrpedrianes]

sorry :(, closed by mistake 😮‍💨

[tsurdilo]

@jrpedrianes no problem, interested to find out what other projects are using for CVE reporting. Something free would be nice to have so we can react on these issues faster.

[jrpedrianes]

I think that you can use this https://github.com/apps/whitesource-for-github-com for free in github public repositories.

But Im not sure,

[tsurdilo]

Ok yeah let's give that try definitely, thanks.

[tsurdilo]

enabled for all sdk repos

[tsurdilo]

weird, whitesource is part of our build now but its not reporting this particular issue

[manick02]

@jrpedrianes what tool identified this vulnerability? @tsurdilo how can I access vulnerability report for this repo