Now tracked via: https://issues.apache.org/jira/browse/MNG-7432
Am 15.03.2022 um 13:52 schrieb Falko Modler:
FTR, problem confirmed, see:
- https://github.com/quarkusio/quarkus/pull/24285#issuecomment-1067713252
- https://github.com/quarkusio/quarkus/pull/24285#issuecomment-1067738029
There is
Hi,
We solved 7 issues:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12330847&styleName=Text&projectId=12317527
There are still a couple of issues left in JIRA:
https://issues.apache.org/jira/issues/?jql=project%20%3D%20JXR%20AND%20resolution%20%3D%20Unresolved%20ORDER%20BY%20pr
FTR, problem confirmed, see:
- https://github.com/quarkusio/quarkus/pull/24285#issuecomment-1067713252
- https://github.com/quarkusio/quarkus/pull/24285#issuecomment-1067738029
There is also a quickfix PR: https://github.com/apache/maven/pull/695
Quarkus team member Alexey Loubyansky is trying t
Right, forging CVEs may be a serious problem, thanks for bringing this up.
> On 15. Mar 2022, at 13:41, Romain Manni-Bucau wrote:
>
> Hi,
>
> I got a lot of false positives too but wonder why CPE coordinates are not
> able to use the gavtc coordinates, it sounds easy to do instead of using a
>
Hi,
I got a lot of false positives too but wonder why CPE coordinates are not
able to use the gavtc coordinates, it sounds easy to do instead of using a
bucket for all artifacts.
I don't think artifacts should be able to give their own id since it would
enable to bypass identified CVE or "steal CV
thanks for your fast reply, Brian!
If I'm not mistaken from a CPE's perspective each published artifact is its own
"product", no matter of whether it's being build as part of a bigger project.
Furthermore the CPEs don't get derived from Maven GAV (and I would not
force-derive anything if the va
Hi Sebastian,
The challenge is that CPE as a coordinate system doesn’t have enough
specificity to match artifacts. It has organization/product/version and
therefore doesn’t have the ability to capture sub module. This is what
leads to most of the mismatch issues seen in CVE based tools (but not al
Hi,
I'm new on this mailing list and this might not be the appropriate place to
discuss ideas to extend the pom format, so please redirect me to the right
place ;-)
We've recently had a lot of struggles with both false positives and false
negatives with a vulnerability scanner, as there is no
