Uploaded image for project: 'Ignite'
  1. Ignite
  2. IGNITE-9900

Upgrade annotations.jar to a new version

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 2.8
    • None
    • None

    Description

      OWASP Dependency Check reports that annotations.jar of version 13.0 is affected by vulnerability CVE-2017-8316,
      while it obviously isn't (the CVE is about XXE attack, and annotations.jar is, well, annotations).

      The issue is that NVD database only says that "intellij_idea" is affected, and OWASP doesn't know better than to map annotations.jar to the intellij_idea product.

      While the problem could be (and perhaps will be, see https://youtrack.jetbrains.com/issue/IDEA-200601) sorted out on the level of OWASP and NVD, the easiest way to workaround this is to upgrade annotations.jar to a new version (currently 16.0.3). It will help Ignite users to avoid annoying false-positive warnings from OWASP.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            slukyanov Stanislav Lukyanov
            slukyanov Stanislav Lukyanov
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment