lvincel commented on pull request #406: URL: https://github.com/apache/maven/pull/406#issuecomment-737094812
Us too, our several security scans each flag maven-resolver-*.1.4.1.jar involved in this CVE, we manually upgraded from the maven 3.6.3 release those libraries to 1.6.1, and it's fine now. The question we have is : Are those libraries causing the potential risk or is it the use that gradle did do with them that caused the risk in which case the CVE flags the wrong libraries; this is unclear. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org