Uploaded image for project: 'Ignite'
  1. Ignite
  2. IGNITE-9900

Upgrade annotations.jar to a new version

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 2.8
    • None
    • None

    Description

      OWASP Dependency Check reports that annotations.jar of version 13.0 is affected by vulnerability CVE-2017-8316,
      while it obviously isn't (the CVE is about XXE attack, and annotations.jar is, well, annotations).

      The issue is that NVD database only says that "intellij_idea" is affected, and OWASP doesn't know better than to map annotations.jar to the intellij_idea product.

      While the problem could be (and perhaps will be, see https://youtrack.jetbrains.com/issue/IDEA-200601) sorted out on the level of OWASP and NVD, the easiest way to workaround this is to upgrade annotations.jar to a new version (currently 16.0.3). It will help Ignite users to avoid annoying false-positive warnings from OWASP.

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #5004

          Activity

            People

              slukyanov Stanislav Lukyanov
              slukyanov Stanislav Lukyanov
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: