| so/libs | com.fasterxml.jackson.core | False positive Jackson: can be an issue if we leave on default typing
| No Action. All of the existing jackson databind have vulnerabilities issues. |
| SO | org.eclipse.jetty | Pulled in by Springboot 1.5.13-RELEASE Note: We don't use jetty, but it is impractical to exclude | Planning for a spring boot upgrade to 2.0 in Dublin. |
| com.fasterxml.jackson.core | False positive Jackson: can be an issue if we leave on default typing
| No Action All of the existing jackson databind have vulnerabilities issues. | |
| ch.qos.logback | False positive Pulled in by Springboot 1.5.13-RELEASE | Planning for a spring boot upgrade to 2.0 in Dublin. | |
| org.slf4j | Pulled in by Springboot 1.5.13-RELEASE and also specified by SO | Planning for a spring boot upgrade to 2.0 in Dublin. | |
| org.apache.tomcat.embed | False positive Pulled in by Springboot 1.5.13-RELEASE Note: Tomcat CORS is turned off in our application Not really an issue since the feature is turned off. | No Action. Planning for a spring boot upgrade to 2.0 in Dublin. | |
| org.apache.commons | False positive SO doesn't use any email features in BPMN. Pulled in by Camunda 7.8.0 |
No Action for Casablanca. File for exception in Casablanca, Upgrade Camunda to 1.9.0 in Dublin | ||
| org.slf4j-ext | False positive not used in SO code pulled from org.springframework.boot:spring-boot-starter-logging:jar:1.5.13.RELEASE |
| No Action in Casablanca. | |||
| jetty-http | False positive no dependency found | ||
| logback-classic | False positive no direct dependency. pulled from org.springframework.boot:spring-boot-starter-web:jar:1.5.13.RELEASE |
| Jquery 1.10.2 | False positive We dont have any UI code dependent on Jquery in SO. Pulled in by Springboot 1.5.13-RELEASE | Planning for a spring boot upgrade to 2.0 in Dublin. | |
| org.springframework.data | Used as the farmework of SO now, upgrade of the spring framework would resolve the issue. Pulled in by Springboot 1.5.13-RELEASE | Planning for a spring boot upgrade to 2.0 in Dublin. | |
| org.springframework | Used as the farmework of SO now, upgrade of the spring framework would resolve the issue. Pulled in by Springboot 1.5.13-RELEASE | Planning for a spring boot upgrade to 2.0 in Dublin. | |
| com.h2database | This is used for testing purpose only, no feature impact in production; no vulnerable free version yet The one currently used is with Highest Policy Threat:3 | No Action for Casablanca | |
| commons-fileupload | False positive We dont use any of the file upload features directly in SO code Pulled in by Springboot 1.5.13-RELEASE | No Action for Casablanca Planning for a spring boot upgrade to 2.0 in Dublin. | |
| org.googlecode.libphonenumber | False positive JavaScript library for parsing, formatting, and validating international phone numbers. We don't use libphonenumber in SO code, but it is impractical to exclude | No Action for Casablanca | |
| org.springframework | False positive Pulled in by Springboot 1.5.13-RELEASE This is a required module, ugrade to springboot 2.0 would help in the resolution. | No Action for Casablanca Planning for a spring boot upgrade to 2.0 in Dublin. | |
| javax.mail | False positive We don't use javax.mail, but it is impractical to exclude We aren't using any email features in SO. | No Action for Casablanca |