Welcome! Please see the About page for a little more info on how this works.

Ask a Question

CVE-warning in org.fressian/fressian <- org.clojure/data.fressian

0 votes
ago in Clojure by

Dependency Information
When running clj-watson in a project with

org.clojure/data.fressian {:mvn/version "1.1.1"}

I get the following warning, refering to CVE-2018-10054 (relates to a vulnerability in H2 and its usage in older versions of datomic). I assume this is a false positive.

NAME: org.fressian/fressian
VERSION: 0.6.8

DEPENDENCY FOUND IN:

[org.clojure/data.fressian]

FIX SUGGESTION:

Vulnerabilities

SEVERITY: HIGH
IDENTIFIERS: CVE-2018-10054
CVSS: 8.8 (version 3.1)
PATCHED VERSION: Information not available.

1 Answer

0 votes
ago by

I agree that this is a false positive. Neither org.fressian/fressian nor org.clojure/data.fressian depend on either Datomic or h2, either explicitly or implicitly, even via test deps, so not sure how that could be possible even via test deps.

clj-watson depends on https://github.com/dependency-check/DependencyCheck to do its checks, and you can report false positives as an issue on its issue tracker https://github.com/dependency-check/DependencyCheck/issues.

Maintained by Cognitect on behalf of the Clojure community
...